How to enable full disk encryption with LVM on Hetzner
Overview
A guide to full disk encryption with Logical Volume Manager (LVM) on Hetzner. Firstly, below is a high level overview of the steps involved:
- Boot into the Hetzner rescue system
- Create custom configs for
installimagecommand to utilise - Reboot the system and enter decryption key via Dropbear
Caveats
- In this guide we are using a single preshared encryption key. This may not be flexible enough for you and need multiple keys available to descrypt the drive. This is possible with LUKS
- If the server reboots human intervention is required. If you require server that is reboot safe, there are ways to do that but won’t be present in this guide
- The drive setup is with an LVM on an encrypted partition. There are many different possible configurations each with their own pros and cons. This guide only covers this particular setup
- Ubuntu is used in this guide and does not cover other distributions
Guide
- First step is to reboot the machine into the Hetzner rescue system. You can do that from the web interface at https://robot.hetzner.com/server
- For the above step make sure to add you public key to ensure to can access the box otherwise you can use the Hetzner generated password was given to you in the above process
- We need to copy your public key onto the server, you can use
scpor just paste via an editor
scp ~/.ssh/id_rsa.pub root@YOUR_HOST:/tmp/authorized_keys
- Create
/tmp/setup.confwhich we will later pass toinstallimagewith the following content:
CRYPTPASSWORD your_password_goes_here
HOSTNAME your_hostname_goes_here
IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys
BOOTLOADER grub
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
IPV4_ONLY no
USE_KERNEL_MODE_SETTING no
PART /boot ext4 1024M
PART lvm vg0 all crypt
LV vg0 root / ext4 10G
LV vg0 swap swap swap 4G
LV vg0 tmp /tmp ext4 5G
LV vg0 home /home ext4 60G
- Use the above config as a rough template and modify to your own needs
- To setup dropbear we will create a file
/tmp/post-install.shthatinstallimagewill run with the following:
#!/bin/bash
add_rfc3442_hook() {
cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case \$1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/dhclient ]; then
exit 0
fi
. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions
mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF
chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}
remove_unwanted_netplan_config() {
cat << EOF > /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
#!/bin/sh
if [ -d "/run/netplan" ]; then
interface=\$(ls /run/netplan/ | cut -d'.' -f1)
if [ \${interface:+x} ]; then
rm -f /run/netplan/"\${interface}".yaml
fi
fi
EOF
chmod +x /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
}
# Install rfc3442 hook
add_rfc3442_hook
# Adding an initramfs-tools script to remove /run/netplan/{interface}.yaml,
# because it is creating unwanted routes
remove_unwanted_netplan_config
# Copy SSH keys for dropbear
mkdir /etc/dropbear-initramfs/
cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/
# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs
- Ensure the above file is executable with the following command
chmod +x /tmp/post-install.sh
- Run
installimagewith custom configs
installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh
- Reboot once installation has finished
- Once rebooted
sshback into the box and callcryptroot-unlock. You will be prompted for your decryption password - Everything should now be completed