disk-encryption-hetzner
disk-encryption-hetzner copied to clipboard
Alternative approach using installimage
We noticed there's an easier way to install Hetzner dedicated servers with encrypted HDDs/SSDs, using Hetzner's own installimage system. Basically it is described in https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption with Ubuntu instead of Debian :)
These instructions use only a single disk, if your server has multiple ones, you can use something like
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
in /tmp/setup.conf
.
The image for debian is
IMAGE /root/images/Debian-1101-bullseye-amd64-base.tar.gz
(also change that in /tmp/setup.conf
).
The /tmp/post-install.sh
script shown in that blog post works fine for Debian as well.
The only caveat is that the SSH keys you put into /tmp/authorized_keys will afterwards be both used for unlocking and for regular login on the server. I put the unlocking SSH key in there and used it to first login into the real system, and then changed the SSH key for that one to another.
Thats a good one, thanks for the heads up in the right direction.
This is a pretty nice no-brainer and works with bullseye 11.01 as expected.
This is a little help if you want to use LVM (f.e. with Proxmox):
PART /boot ext3 512M
PART lvm vg0 all crypt
LV vg0 root / ext4 20G
LV vg0 swap swap swap 4G