@mlesyk
2019-08-16 12:09
Linux,
Hosting
linux
ubuntu
kimsufi
luks
guide
I’m big fan of affordable dedicated hosting provider Kimsufi.
For very reasonable price you can have your very own dedicated server.
Unfortunately, Kimsufi installer does not offer LUKS-encrypted installation of systems, so we should do it by our self.
As outcome of this guide we will have installed Ubuntu 18.04 LTS system with following features:
WARNING! This guide will lead to deleting of existing data on your server. Please, make backups first.
Before we start, please ensure you have following things:
Netboot
button in your server Control Panel.Rescue
button in pop-up window. Select rescue64-pro
image from Rescue available
drop down list.
See image below:
Click Next
button
Confirm
buttonRestart
button to the left of Netboot
buttonGood! After couple of minutes you should receive email from Kimsufi with your temporary root password for the server.
After logging in using SSH and these credentials, now we are in Rescue mode!
This is the final warning! Following actions are irreversible and will erase your data!
wipefs -a /dev/sda
[512MiB boot partition | Remaining space partition]
Execute command:
# Create MBR layour parted -a optimal /dev/sda mklabel msdos # Create first 512MiB partition parted /dev/sda -a optimal mkpart primary 0% 512MiB # Create partition in remaining disk space parted /dev/sda -a optimal mkpart primary 512MiB 100% # Set first partition as bootable parted /dev/sda set 1 boot on
Execute command:
apt update && apt install -y cryptsetup lvm2 ubuntu-archive-keyring
We will use debootstrap
for manual installation of Ubuntu 18.04 (Bionic).
Unfortunately, rescue64-pro
‘s debootstrap does not have support of Ubuntu 18.04 version, so we should manually install fresh debootstrap.
Execute command:
wget http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.115_all.deb && dpkg -i debootstrap*.deb && rm -f debootstrap*.deb
Execute command:
mkfs.ext4 /dev/sda1
Note: nice explanation about cryptsetup parameters.
Execute command:
cryptsetup -q -s 512 -c aes-xts-plain64 luksFormat /dev/sda2
And enter your passphrase for encryption.
Execute command:
cryptsetup luksDump /dev/sda2 | grep UUID | awk '{print $2}'
and save string like 78aa5a97-a9c4-4680-9c93-36a2d74f8a51
somewhere
Execute command:
cryptsetup luksOpen /dev/sda2 root
Execute command:
mkfs.ext4 /dev/mapper/root
Execute command:
mount /dev/mapper/root /mnt
Execute command:
mkdir /mnt/boot && mount /dev/sda1 /mnt/boot
Execute command:
debootstrap --arch amd64 bionic /mnt http://archive.ubuntu.com/ubuntu
Execute command:
mount -o bind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
Execute command:
chroot /mnt /bin/bash
<SAVED_UUID>
is string we saved earlier, i.e. looks like 78aa5a97-a9c4-4680-9c93-36a2d74f8a51
Execute command:
echo "root UUID=<SAVED_UUID> none luks,initramfs" > /etc/crypttab
For example, command can looks like: echo "root UUID=78aa5a97-a9c4-4680-9c93-36a2d74f8a51 none luks" > /etc/crypttab
Execute command:
cat << EOF > /etc/fstab /dev/mapper/root / ext4 defaults,relatime 0 1 /dev/sda1 /boot ext4 defaults,relatime 0 2 EOF
Execute command:
ln -sf /proc/mounts /etc/mtab
Execute command:
apt update && apt install -y ifupdown
a. <hostname>
- hostname for server, for example, myserver
b. <domain>
- domain for server, for example, example.org
cat << EOF > /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp EOF cat << EOF > /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 EOF echo "<hostname>" > /etc/hostname echo "127.0.1.1 <hostname>.<domain> <hostname>" >> /etc/hosts
Execute command:
echo "UTC" > /etc/timezone dpkg-reconfigure -f noninteractive tzdata
Execute command:
cat << EOF > /etc/apt/sources.list deb http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu bionic-backports main multiverse restricted universe EOF
Execute command:
cat << EOF > /etc/apt/apt.conf.d/999aptsettings APT::Install-Recommends "0"; APT::Install-Suggests "0"; EOF
Note: When question appear where to install bootloader - select /dev/sda
device - first one in the list.
Execute command:
apt update && apt install -y busybox console-setup cryptsetup dropbear dropbear-initramfs cryptsetup-initramfs grub-pc initramfs-tools kbd linux-image-generic-hwe-18.04 linux-tools-generic-hwe-18.04 locales ssh
Execute command:
grub-install /dev/sda
<PUBLIC_SSH_KEY>
variable - is your public ssh key, variable should look like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp/Rvlf+prdX0F6gYxDCIKwX4pfvS6eVVUqz8fes3cUX2Z1uJ4eqBbQJK1TK9D21PuQNNDkhWEcq8fBVYG7bxJn0EanWAOc39yhNVB23Vg+O9iDcQTJVr7mSnwc3+HUBwDbHMCiFqpDbuxxi8VE1XoHR6vVxhGqW9ORyBUFdwl7vVuMkIdw93Sq4nT/dlLIUz/MhAklmbDRdjZRpjTUybYrf4Pk9iM/gEIMfKOT2GCImRia1Ao8UpetdExCu8RJ8/2n+AMns1sJ77kmL4bH3jwH+hx5yUMHGYaeYHBb3MsV3/dhHQ1LF3ynBb50wv/Pzmo6wTQcfrBpvAorXObvopt
Execute command:
mkdir /root/.ssh && chmod 600 /root/.ssh echo "<PUBLIC_SSH_KEY>" > /root/.ssh/authorized_keys echo "<PUBLIC_SSH_KEY>" > /etc/dropbear-initramfs/authorized_keys
Set root password:
Execute command:
passwd
end enter your password.
Allow dropbear accept passwords:
Execute command:
sed -i 's/local flags=\"Fs\"/local flags=\"F\"/' /usr/share/initramfs-tools/scripts/init-premount/dropbear cat << EOF > /etc/initramfs-tools/hooks/passwd_hook.sh #!/bin/sh PREREQ="" prereqs() { echo "\$PREREQ" } case \$1 in prereqs) prereqs exit 0 ;; esac grep -e root /etc/shadow > \${DESTDIR}/etc/shadow EOF chmod +x /etc/initramfs-tools/hooks/passwd_hook.sh
Execute command:
sed -i s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"net.ifnames=0\ biosdevname=0\ ip=:::::eth0:dhcp\"/g /etc/default/grub
Execute command:
update-grub && update-initramfs -u
Execute command:
exit umount /mnt/{boot,dev,proc,sys} umount /mnt cryptsetup luksClose root
Netboot
button in your server Control Panel.Hard disk
button in pop-up window. Next
buttonConfirm
buttonreboot
root
username from your workstation (One which has your public SSH key)cryptroot-unlock
and enter your password
Now you are inside full-disk encrypted server.
Now, every time server reboots, you will need ssh to it and execute cryptroot-unlock
command in order to continue it’s boot process.
Enjoy!