Full disk encrypted Ubuntu on Kimsufi sever

@mlesyk   2019-08-16 12:09   Linux, Hosting  
linux ubuntu kimsufi luks guide

I’m big fan of affordable dedicated hosting provider Kimsufi.
For very reasonable price you can have your very own dedicated server.
Unfortunately, Kimsufi installer does not offer LUKS-encrypted installation of systems, so we should do it by our self.

As outcome of this guide we will have installed Ubuntu 18.04 LTS system with following features:

  1. Full disk encryption using LUKS.
  2. No LVM used - honestly, I think adding another layer of abstraction in single disk server does not have any sense, so we will encrypt raw volume.
  3. Remote unlock ability via Dropbear SSH server.

WARNING! This guide will lead to deleting of existing data on your server. Please, make backups first.

Prerequisites

Before we start, please ensure you have following things:

  1. Backup of your data.
  2. Created SSH keys on your workstation and know how to use them.

Booting server in rescue mode

  1. Click on Netboot button in your server Control Panel.
  2. Click on Rescue button in pop-up window.
  3. Select rescue64-pro image from Rescue available drop down list.
    See image below:

  4. Click Next button

  5. Click Confirm button
  6. Click Restart button to the left of Netboot button

Good! After couple of minutes you should receive email from Kimsufi with your temporary root password for the server.
After logging in using SSH and these credentials, now we are in Rescue mode!

This is the final warning! Following actions are irreversible and will erase your data!

1. Wipe information about all file systems on disk. Execute following command in the shell:
wipefs -a /dev/sda
2. Create disk layout. It will look like this:

[512MiB boot partition | Remaining space partition]
Execute command:

# Create MBR layour
parted -a optimal /dev/sda mklabel msdos
# Create first 512MiB partition
parted /dev/sda -a optimal mkpart primary 0% 512MiB
# Create partition in remaining disk space
parted /dev/sda -a optimal mkpart primary 512MiB 100%
# Set first partition as bootable
parted /dev/sda set 1 boot on

Installing necessary packages

Execute command:

apt update && apt install -y cryptsetup lvm2 ubuntu-archive-keyring

We will use debootstrap for manual installation of Ubuntu 18.04 (Bionic).
Unfortunately, rescue64-pro‘s debootstrap does not have support of Ubuntu 18.04 version, so we should manually install fresh debootstrap.
Execute command:

wget http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.115_all.deb && dpkg -i debootstrap*.deb && rm -f debootstrap*.deb

Creating file systems and encrypted partition

1. Create file system for boot partition.

Execute command:

mkfs.ext4 /dev/sda1
2. Create encrypted volume:

Note: nice explanation about cryptsetup parameters.

Execute command:

cryptsetup -q -s 512 -c aes-xts-plain64 luksFormat /dev/sda2

And enter your passphrase for encryption.

3. Get and write down UUID of encrypted volume - it will be used later.

Execute command:

cryptsetup luksDump /dev/sda2 | grep UUID | awk '{print $2}'

and save string like 78aa5a97-a9c4-4680-9c93-36a2d74f8a51 somewhere

4. Open encrypted volume.

Execute command:

cryptsetup luksOpen /dev/sda2 root
5. Create filesystem on encrypted and opened volume.

Execute command:

mkfs.ext4 /dev/mapper/root

Mount resulting partitions

1. Mount root partition

Execute command:

mount /dev/mapper/root /mnt
2. Mount boot partition

Execute command:

mkdir /mnt/boot && mount /dev/sda1 /mnt/boot

Bootstrap Ubuntu into mounted partitions

Execute command:

debootstrap --arch amd64 bionic /mnt http://archive.ubuntu.com/ubuntu

Mount system partitions before chroot into freshly bootstrapped Ubuntu

Execute command:

mount -o bind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys

Chroot into Ubuntu

Execute command:

chroot /mnt /bin/bash

Save UUID of encrypted volume into crypttab

<SAVED_UUID> is string we saved earlier, i.e. looks like 78aa5a97-a9c4-4680-9c93-36a2d74f8a51
Execute command:

echo "root UUID=<SAVED_UUID> none luks" > /etc/crypttab

For example, command can looks like: echo "root UUID=78aa5a97-a9c4-4680-9c93-36a2d74f8a51 none luks" > /etc/crypttab

Create new fstab

Execute command:

cat << EOF > /etc/fstab
/dev/mapper/root / ext4 defaults,relatime 0 1
/dev/sda1 /boot ext4 defaults,relatime 0 2
EOF

Execute command:

ln -sf /proc/mounts /etc/mtab

Install ifupdown package

Execute command:

apt update && apt install -y ifupdown

Set up network interfaces and hostnames resolution

1. Prepare following variables:

a. <hostname> - hostname for server, for example, myserver
b. <domain> - domain for server, for example, example.org

2. Execute command (use variables from 1.):
cat << EOF > /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
EOF

cat << EOF > /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

echo "<hostname>" > /etc/hostname

echo "127.0.1.1 <hostname>.<domain> <hostname>" >> /etc/hosts

Set up time zone

Execute command:

echo "UTC" > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata

Set up default package repositories

Execute command:

cat << EOF > /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-backports main multiverse restricted universe
EOF

Execute command:

cat << EOF > /etc/apt/apt.conf.d/999aptsettings
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF

Install necessary packages

Note: When question appear where to install bootloader - select /dev/sda device - first one in the list.

Execute command:

apt update && apt install -y busybox console-setup cryptsetup dropbear grub-pc initramfs-tools kbd linux-image-generic-hwe-18.04 linux-tools-generic-hwe-18.04 locales ssh

Set up SSH keys

<PUBLIC_SSH_KEY> variable - is your public ssh key, variable should look like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp/Rvlf+prdX0F6gYxDCIKwX4pfvS6eVVUqz8fes3cUX2Z1uJ4eqBbQJK1TK9D21PuQNNDkhWEcq8fBVYG7bxJn0EanWAOc39yhNVB23Vg+O9iDcQTJVr7mSnwc3+HUBwDbHMCiFqpDbuxxi8VE1XoHR6vVxhGqW9ORyBUFdwl7vVuMkIdw93Sq4nT/dlLIUz/MhAklmbDRdjZRpjTUybYrf4Pk9iM/gEIMfKOT2GCImRia1Ao8UpetdExCu8RJ8/2n+AMns1sJ77kmL4bH3jwH+hx5yUMHGYaeYHBb3MsV3/dhHQ1LF3ynBb50wv/Pzmo6wTQcfrBpvAorXObvopt

Execute command:

mkdir /root/.ssh && chmod 600 /root/.ssh
echo "<PUBLIC_SSH_KEY>" > /root/.ssh/authorized_keys
echo "<PUBLIC_SSH_KEY>" > /etc/dropbear-initramfs/authorized_keys

[Optional] Set up password login

Set root password:
Execute command:

passwd

end enter your password.

Allow dropbear accept passwords:
Execute command:

sed -i 's/local flags=\"Fs\"/local flags=\"F\"/' /usr/share/initramfs-tools/scripts/init-premount/dropbear

cat << EOF > /etc/initramfs-tools/hooks/passwd_hook.sh
#!/bin/sh

PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case \$1 in
    prereqs)
        prereqs
        exit 0
    ;;
esac

grep -e root /etc/shadow > \${DESTDIR}/etc/shadow
EOF

chmod +x /etc/initramfs-tools/hooks/passwd_hook.sh

Set up network support in bootloader and adjust network interfaces names

Execute command:

sed -i s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"net.ifnames=0\ biosdevname=0\ ip=:::::eth0:dhcp\"/g /etc/default/grub

Update grub and initramfs images

Execute command:

update-grub && update-initramfs -u

Exiting chroot

Execute command:

exit
umount /mnt/{boot,dev,proc,sys}
umount /mnt
cryptsetup luksClose root

Booting server back from hard drive

  1. Click on Netboot button in your server Control Panel.
  2. Click on Hard disk button in pop-up window.
  3. Click Next button
  4. Click Confirm button
  5. Execute command in still loaded rescue ssh console:
reboot

Remotely unlocking of encrypted volume

1. ssh to your server using root username from your workstation (One which has your public SSH key)
2. Type command:
cryptroot-unlock

and enter your password

Congratulations!

Now you are inside full-disk encrypted server.
Now, every time server reboots, you will need ssh to it and execute cryptroot-unlock command in order to continue it’s boot process.
Enjoy!

 Back to main