disk-encryption-hetzner icon indicating copy to clipboard operation
disk-encryption-hetzner copied to clipboard

Published 20 hours ago verified publisher icon TheReal1604

Alternative approach using installimage

Open ghost opened this issue 2 years ago • 2 comments

We noticed there's an easier way to install Hetzner dedicated servers with encrypted HDDs/SSDs, using Hetzner's own installimage system. Basically it is described in https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption with Ubuntu instead of Debian :)

These instructions use only a single disk, if your server has multiple ones, you can use something like

DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1

in /tmp/setup.conf.

The image for debian is

IMAGE /root/images/Debian-1101-bullseye-amd64-base.tar.gz

(also change that in /tmp/setup.conf).

The /tmp/post-install.sh script shown in that blog post works fine for Debian as well.

The only caveat is that the SSH keys you put into /tmp/authorized_keys will afterwards be both used for unlocking and for regular login on the server. I put the unlocking SSH key in there and used it to first login into the real system, and then changed the SSH key for that one to another.

ghost avatar Mar 17 '22 07:03 ghost

Thats a good one, thanks for the heads up in the right direction.

TheReal1604 avatar Apr 01 '22 07:04 TheReal1604

This is a pretty nice no-brainer and works with bullseye 11.01 as expected.

This is a little help if you want to use LVM (f.e. with Proxmox):

PART /boot ext3 512M
PART lvm   vg0   all crypt

LV vg0 root /    ext4  20G
LV vg0 swap swap swap   4G

razorness avatar Apr 08 '22 12:04 razorness