23 Oct 2023 - by 'Maurits van der Schee'
In this tutorial I'll walk you through the steps of setting up Debian 12 with LUKS full disk encryption on a server you bought from the Hetzner auction. I'm using the recommended method using the "
installimage" script (that Hetzner provides) to make things really easy for myself.
Add your public keys to the rescue image by using an editor and pasting the public keys:
Copy the public keys to a location that can be used by the installer:
cp /root/.ssh/authorized_keys /tmp/authorized_keys
Create a "
And fill it with the following content:
cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs
Make the file executable:
chmod +x /tmp/post-install.sh
Now run the installer interactive with the "
installimage -x /tmp/post-install.sh
Now an editor opens and you need to add (use your own passphrase):
Also adjust the
HOSTNAME to match your hostname (and set the reverse in the robot):
Adjust the line:
PART / ext4 all
And add the word "
crypt" so that it becomes:
PART / ext4 all crypt
Now add a "
SSHKEYS_URL" line to specify where the public keys are located:
Press "Esc" and save the file on exit. The installer begins. Wait until it shows:
Now you can reboot the server from the command line using the "
After waiting for 60 seconds for the server to reboot you can connect again to dropbear:
You may see a warning and have to remove the signature. This may happen more often as the key of dropbear does not match the key of the rescue image nor the key of your normal SSH server:
ssh-keygen -f "/home/maurits/.ssh/known_hosts" -R "yourhostname.yourdomain.com"
Now you get to the BusyBox prompt and you need to type "
cryptroot-unlock" to unlock the disk:
Now enter the passphrase you've chosen earlier. You should get disconnected after a successful passphrase and the system should boot up normally.
You installation is complete and your system is up-and-running.