Encrypted Hetzner Server

You want to setup an fully encrypted Debian root server. Than this post is for you. Try to understand every step we take. Use man and Google if you do not understand what a specific command does!

Because of a bug in systemd (#618862) we can not add multiple encrypted devices into crypttab. So this setup bypasses this problem by decrypting and mounting /home in rc.local.

Start by installing a debian system through the robot

Prepare system

cp /sbin/init /sbin/init.sysv

nano /etc/default/grub and insert

luks=no

update-grub && update-initramfs -u

Update the system

apt-get update
apt-get dist-upgrade
apt-get install cryptsetup
apt-get install busybox dropbear

Prepare Dropbear

nano /etc/initramfs-tools/initramfs.conf

DROPBEAR=y
BUSYBOX=y

Get the key

If you have configured it and had the private/public SSH keys generated automatically, do not forget to copy the private key or install your public key according to the readme.

On the Host systemd
scp root@erver.com/etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa.initramfs

Inspect the system

# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/md2       1008G  859M  956G   1% /
udev             10M     0   10M   0% /dev
tmpfs           3.2G  8.5M  3.2G   1% /run
tmpfs           7.9G     0  7.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           7.9G     0  7.9G   0% /sys/fs/cgroup
/dev/md3        1.7T   68M  1.7T   1% /home
/dev/md1        488M   35M  428M   8% /boot
tmpfs           1.6G     0  1.6G   0% /run/user/0
# cfdisk
Disk: /dev/sda
Size: 2.7 TiB, 3000592982016 bytes, 5860533168 sectors
Label: gpt, identifier: EBF1417E-77C6-4B2C-BD14-254D4ACC6F71

Device            Start           End         Sectors     Size Type
/dev/sda1         4096       16781311        16777216       8G Linux RAID
/dev/sda2     16781312       17829887         1048576     512M Linux RAID
/dev/sda3     17829888     2165313535      2147483648       1T Linux RAID
/dev/sda4   2165313536     5860533134      3695219599     1.7T Linux RAID
/dev/sda5         2048           4095            2048       1M BIOS boot

This amounts to this:

Dev RaidDev MountPoint CryptDev
sda3 md2 / root
sda4 md3 /home home
sda2 md1 /boot
sda1 md0 swap swap

Rescue system

Boot into Rescue system

Use the Hetzner robot to boot into the rescue system

Backup and cryptsetup

create a folder to temporarily store the old system
mkdir /oldroot

mount the system
mount /dev/md2 /mnt

prepare /home/ encryption and keyfile

Setup the home crypt
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/md3

Open it
cryptsetup luksOpen /dev/md3 home

THIS STEP IS OPTIONAL AND CAN BE DONE ON THE FINISHED SYSTEM
dd if=/dev/zero | pv -s 1700G | dd of=/dev/mapper/home bs=2048

Create Filesystem
mkfs.ext4 /dev/mapper/home

Create and setup keyfile
dd if=/dev/urandom of=/mnt/root/keyfile bs=1024 count=4
chmod 0400 /mnt/root/keyfile
cryptsetup luksAddKey /dev/md3 /mnt/root/keyfile

Make a backup of the system

rsync -ah --info=progress2 /mnt/ /oldroot/
umount /mnt

encrypt /dev/md2 (root)

cryptsetup --cipher aes-xts-plain64 -s 512 --iter-time 5000 luksFormat /dev/md2

You can verify that everything went fine with:
cryptsetup luksDump /dev/md2

LUKS header information for /dev/md2

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	512
MK digest:     	de ad be ef
MK salt:       	de ad be ef
               	de ea be ef
MK iterations: 	83750
UUID:          	5f76b99e-0418-4fb5-a731-201004ede948

Key Slot 0: ENABLED
	Iterations:         	336005
	Salt:               	de ea be ef
	                      	de ea be ef
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

decrypt root
cryptsetup luksOpen /dev/md2 root

THIS STEP IS OPTIONAL AND CAN BE DONE ON THE FINISHED SYSTEM
dd if=/dev/zero | pv -s 1008G | dd of=/dev/mapper/home bs=2048

Create Filesystem
mke2fs -t ext4 /dev/mapper/root
tune2fs -i 6m -e remount-ro -c 50 /dev/mapper/root

Reinstall system

mkdir /newroot
mount /dev/mapper/root /newroot
rsync -ah --info=progress2 /oldroot/ /newroot/

Before we can changeroot into the new system we need some special file systems and the boot file system inside. These are needed so grub and initramfs reinstall work.

mount /dev/md1 /newroot/boot
mount --bind /dev /newroot/dev
mount --bind /sys /newroot/sys
mount --bind /proc /newroot/proc

Final touches

chroot /newroot

in /etc/fstab:

/dev/mapper/root /     ext4 defaults  0 2
/dev/mapper/home /home ext4 noauto    0 0
/dev/mapper/swap none  swap sw,noauto 0 0

You also should comment out swap in /etc/crypttab:

# root /dev/md/0 none luks

update-initramfs -u
update-grub
grub-install /dev/sda

Tell the system to mount home and restart network

nano /etc//rc.local

cryptsetup -c serpent -h sha512 -d /dev/urandom create swap /dev/md0
mkswap /dev/mapper/swap
swapon /dev/mapper/swap

cryptsetup luksOpen /dev/md3 home --key-file=/root/keyfile
mount /dev/mapper/home /home

/sbin/ifdown --force eth0
/sbin/ifup --force eth0

Allmost done

Exit chroot: exit

Unmount the system
umount /newroot/boot
umount /newroot/proc
umount /newroot/sys
umount /newroot/dev
umount /newroot

sync

reboot


New System

Start the server

To start the server use:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/id_rsa.initramfs" root@server.com "echo -ne \"PASSWORTfuerROOT\" >/lib/cryptsetup/passfifo"

Fill disk with random data

The following step is optional but recommended. It fills the whole disk with random data and overwrites anything on the partition that may be recoverable

Fillup / and /home with two gigantic files
dd if=/dev/zero of=/foofile bs=1M
dd if=/dev/zero of=/home/foofile bs=1M

and remove them
rm /foofile & rm /home/foofile

If the system doesn’t boot

Order a LARA(kvm) session from the robot.
add init=/sbin/init.sysv as boot parameter

This can be done in the grub menu for a single boot - press “e” in the grub menu and add this to the kernel line. For example, depending on the options required for your particular system, it might look something like:

/boot/grub/grub.cfg
linux /vmlinuz-3.13-1-amd64 root=/dev/mapper/root-root init=/sbin/init.sysv ro quiet

This are sites that helped me with my setup and this post: