Blog about software development


LUKS encrypted Debian 12 server (Hetzner)

23 Oct 2023 - by 'Maurits van der Schee'

In this tutorial I'll walk you through the steps of setting up Debian 12 with LUKS full disk encryption on a server you bought from the Hetzner auction. I'm using the recommended method using the "installimage" script (that Hetzner provides) to make things really easy for myself.

Enter the rescue mode

Installation instructions

Add your public keys to the rescue image by using an editor and pasting the public keys:

nano /root/.ssh/authorized_keys

Copy the public keys to a location that can be used by the installer:

cp /root/.ssh/authorized_keys /tmp/authorized_keys

Create a "post-install.sh" file:

nano /tmp/post-install.sh

And fill it with the following content:

cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

Make the file executable:

chmod +x /tmp/post-install.sh

Now run the installer interactive with the "post-install.sh" script:

installimage -x /tmp/post-install.sh

Now an editor opens and you need to add (use your own passphrase):

CRYPTPASSWORD yoursecretpassphrase

Also adjust the HOSTNAME to match your hostname (and set the reverse in the robot):

HOSTNAME yourhostname.yourdomain.com

Adjust the line:

PART / ext4 all

And add the word "crypt" so that it becomes:

PART / ext4 all crypt

Now add a "SSHKEYS_URL" line to specify where the public keys are located:

SSHKEYS_URL /tmp/authorized_keys

Press "Esc" and save the file on exit. The installer begins. Wait until it shows:


Now you can reboot the server from the command line using the "reboot" command:


After waiting for 60 seconds for the server to reboot you can connect again to dropbear:

ssh root@yourhostname.yourdomain.com

You may see a warning and have to remove the signature. This may happen more often as the key of dropbear does not match the key of the rescue image nor the key of your normal SSH server:

ssh-keygen -f "/home/maurits/.ssh/known_hosts" -R "yourhostname.yourdomain.com"

Now you get to the BusyBox prompt and you need to type "cryptroot-unlock" to unlock the disk:


Now enter the passphrase you've chosen earlier. You should get disconnected after a successful passphrase and the system should boot up normally.

You installation is complete and your system is up-and-running.


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.