LUKS encrypted Debian 12 server (Hetzner)

In this tutorial I’ll walk you through the steps of setting up Debian 12 with LUKS full disk encryption on a server you bought from the Hetzner auction. I’m using the recommended method using the “installimage” script (that Hetzner provides) to make things really easy for myself.

Enter the rescue mode

• Login to the Robot robot.hetzner.com and go to the “Server” page.
• Click on “Server” > “Key Management” > “New Key”, add your public key and click “Add Key”.
• Click on “Server” and click your server and choose the “Rescue” tab.
• Select your “Public key” and click “Activate Rescue System”.
• Now click on the “Reset” tab and choose “Execute an automatic hardware reset” and click “Send”.
• Wait for 60 seconds (duration depends on the hardware) for the server to reboot.
• Use an SSH client to connect with username “root” to the IP address of your server.

Installation instructions

Add your public keys to the rescue image by using an editor and pasting the public keys:

nano /root/.ssh/authorized_keys

Copy the public keys to a location that can be used by the installer:

cp /root/.ssh/authorized_keys /tmp/authorized_keys

Create a “post-install.sh” file:

nano /tmp/post-install.sh

And fill it with the following content:

#!/bin/bash
cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

Make the file executable:

chmod +x /tmp/post-install.sh

Now run the installer interactive with the “post-install.sh” script:

installimage -x /tmp/post-install.sh

Now an editor opens and you need to add (use your own passphrase):

CRYPTPASSWORD yoursecretpassphrase

Also adjust the HOSTNAME to match your hostname (and set the reverse in the robot):

HOSTNAME yourhostname.yourdomain.com

Adjust the line:

PART / ext4 all

And add the word “crypt” so that it becomes:

PART / ext4 all crypt

Now add a “SSHKEYS_URL” line to specify where the public keys are located:

SSHKEYS_URL /tmp/authorized_keys

Press “Esc” and save the file on exit. The installer begins. Wait until it shows:

INSTALLATION COMPLETE

Now you can reboot the server from the command line using the “reboot” command:

reboot 

After waiting for 60 seconds for the server to reboot you can connect again to dropbear:

ssh root@yourhostname.yourdomain.com

You may see a warning and have to remove the signature. This may happen more often as the key of dropbear does not match the key of the rescue image nor the key of your normal SSH server:

ssh-keygen -f "/home/maurits/.ssh/known_hosts" -R "yourhostname.yourdomain.com"

Now you get to the BusyBox prompt and you need to type “cryptroot-unlock” to unlock the disk:

cryptroot-unlock

Now enter the passphrase you’ve chosen earlier. You should get disconnected after a successful passphrase and the system should boot up normally.

You installation is complete and your system is up-and-running.

Links

• How to install Ubuntu 20.04 with full disk encryption
• TQdev.com - LUKS with HTTPS unlock