Remotely Installing a Fully-Encrypted Debian Server
So you’ve just rented a new server, in some random data center, from one of the popular hosting providers. You don’t have physical access to the machine, but you rely on your data to be stored securely on the server. You probably want to encrypt the entire system, even the swap partition. The server needs to be able to decrypt the filesystems to boot, but you don’t want the encryption key to be accessible by it, so nobody with physical access can access your data or even tamper with it.
If you’re installing a remote server, chances are you’ve been given access to a rescue system or installer shell via SSH. The following how-to guides you through a basic Debian bootstrapping process, which you can start from almost any rescue image or even another existing Linux installation. The goal is to set up a Linux system with RAID and LVM sitting on top. The entire system will be encrypted and is only remotely unlockable.
You don’t have to follow my advice when it comes to partitioning or using LVM: feel free to come up with your own disk layout! To keep this guide simple though, we will assume you’re running a server with two disks, which we will use to create RAID-1 arrays. Create two partitions on each disk: one will be used for /boot (512M would be sufficient) and one for the LVM (rest of disk). Do NOT create a swap partition. We want our swap to be encrypted, hence we will create a logical volume for it inside the LVM.
Setup two RAID arrays, one for /boot (our first partition on each disk) and one for the LVM (the second partition).
mdadm --create /dev/md0 --auto md --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1 mdadm --create /dev/md1 --auto md --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2 mkfs.ext3 /dev/md0
Before creating our actual data volumes we need to initialize cryptsetup:
cryptsetup luksFormat /dev/md1 cryptsetup luksOpen /dev/md1 cryptroot
Let’s create a new LVM inside the cryptroot:
pvcreate /dev/mapper/cryptroot vgcreate vg0 /dev/mapper/cryptroot lvcreate -L 32G -n swap vg0 lvcreate -l 100%FREE -n root vg0 mkfs.ext4 /dev/vg0/root mkswap /dev/vg0/swap
See this guide (from paragraph D.3.3) from the Debian documentation for detailed information on how to bootstrap a Debian install. The bare minimum involves the following steps:
mount /dev/vg0/root /mnt debootstrap --arch amd64 stretch /mnt http://deb.debian.org/debian LANG=C.UTF-8 chroot /mnt /bin/bash export TERM=xterm-color apt install makedev mount none /proc -t proc cd /dev MAKEDEV generic
/etc/fstab and add your filesystems, for this example:
/dev/vg0/root / ext4 defaults 0 1 /dev/md0 /boot ext3 defaults 0 2 /dev/vg0/swap none swap sw 0 0 proc /proc proc defaults 0 0
/etc/adjtime and add:
0.0 0 0.0 0 UTC
/etc/resolv.conf to match your network / IP configuration.
If you want to, you can also set a root password now:
Now exit the chroot and bind-mount
proc before entering the
exit mount /dev/md0 /mnt/boot mount --bind /dev /mnt/dev mount --bind /sys /mnt/sys mount --bind /proc /mnt/proc LANG=C.UTF-8 chroot /mnt /bin/bash
Now we can install the kernel and other required software to boot up:
apt install locales linux-image-amd64 busybox dropbear mdadm lvm2 cryptsetup grub-pc ssh
We need to make sure SSH works correctly:
/etc/ssh/sshd_config and set
yes. Make sure to add
your SSH pubkey to
/root/.ssh/authorized_keys as well as
/etc/initramfs-tools/initramfs.conf and set
We also need to change
/etc/crypttab and add the following line:
cryptroot /dev/md1 none luks
Last but not least, we need to setup grub as a boot-loader:
update-initramfs -u update-grub grub-install /dev/sda grub-install /dev/sdb
We’re done! Exit the chroot, unmount the filesystems and reboot the machine:
exit umount /mnt/boot /mnt/proc /mnt/sys /mnt/dev umount /mnt sync shutdown -r now
Login to decrypt root
Wait for your server to reboot and launch the dropbear SSH daemon. You must now connect to it and unlock the encrypted filesystem so it can continue to boot:
ssh root@yourserver cryptroot-unlock
Let the system finish booting
Your SSH connection will be disconnected and the system continues boot-up with the encrypted root unlocked.
Congratulations, you’ve just bootstrapped a fully encrypted Debian server! Don’t forget that you need to manually unlock the machine every time the system boots up from now on. Do not lose the SSH key required to connect to the machine or, even worse, the luks key required to unlock your filesystems.