Here’s my field notes from the server I recently set up. It’s a rental server at Hetzner, which comes with a very basic rescue system pre-installed.
Starting from there, I followed the steps outlined here. The differences between the Ubuntu version used there and Debian Stretch kept me busy quite a bit so I’m writing my adopted command chain down here to save you some time.
Partition and Encrypt the disks
Hetzner servers usually come with at least 2 disks which are partioned identically with 128MB for /boot (which stays unencrypted), and the rest for the encrypted system.
On top of that two Raid 1 arrays are formed,
md1 for everything else.
md1 will be encrypted, and on top of that encrypted device we set up our root and other partitions using LVM.
I tend to start with reasonable but small partition size and leave most space in the LVM volume group unassigned so I have room to create / enlarge partitions later on as needed.
Set Up a Basic Debain Stretch With Debootstrap
The most recent version of debootstrap at the time you are doing this may vary, adjust accordingly.
Next, edit or create a couple config files.
And change into the fresh Debain system with
Set a password, create some symlinks for the Raid devices and create mtab. I’m not sure if the links are actually necessary.
Upgrade the installed packages and install a couple more:
Make sure you can actually log into the new system by putting your SSH public key into
Last but not least, set up networking so your system actually goes online after unlocking. I tried to use the modern way, but for some reason it didn’t work, so I went with the classic
/etc/network/interfaces config style. Next hurdle was to find out the (not so) predictable network interface name the kernel assigns to my server’s ethernet adaptor. I got it from the syslog after accessing the system through the rescue image (see below for the steps to access the machine in case you cannot get into it after reboot).
It might also be possible to force the Kernel to use the old
eth0 style names using the
net.ifnames=0 kernel boot parameter (link to serverfault).
Set Up the Initial Ramdisk for Remote Password Entry
Since the whole system (except
/boot) is encrypted, you will have to enter the passphrase at boot time.
This is accomplished by embedding the
dropbear SSH server into the initial ramdisk image, which allows you to SSH into the server before it even finished booting to enter the passphrase.
Luckily this is all easy and straight forward to set up nowadays:
For logging in via SSH, install your SSH key, again. You can use the one you just put into
/root/.ssh/authorized_keys, as long as it is an RSA key. Other key types (I tried my ed25519 key) will most certainly not work.
The options before the key limit what can be done when logging in with that key, and the
command is what will be executed directly after log in.
Since the sole purpose of this is to unlock the disk, the script which does just that is launched directly after log in.
To prevent dropbear from starting when it isn’t needed (that is, outside the initrd in your ‘real’ system), run
systemctl disable dropbear. Thanks to Thomas pointing this out in the comments.
In order to avoid SSH complaining about changed host keys every time you unlock the server or connect to it when unlocked there are two ways: run Dropbear on a different port than you run the ‘normal’ SSH server on the unlocked system on, or use a separate
known_hosts file for unlocking.
I chose to run Dropbear on another port and set some other options while I’m at it:
With all that done, it’s time to update the initrd and install the Grub bootloader. The
ip kernel boot parameter is essential for setting up the network in the initial ram disk, otherwise dropbear won’t be reachable. Be sure to replace the placeholders with whatever IPv4 config your server has.
At this point, you should be able to connect to the server on the configured port and immediately be asked for your passphrase. Enter it, press enter and the connection is closed, while the server continues booting.
It doesn’t work!
You cannot connect to unlock the system, or you unlock it but cannot connect after that? Don’t panic.
With Hetzner, there is always a way to reboot the machine into the rescue system, which can then be used to fix things.
After you logged into the system, follow these steps to unlock disks and get into the Debian again:
I needed these quite a few times while fixing my network config. Once you’re ready to give it another go, do the same steps as above, but skip the Grub installation:
That’s it, have fun with your shiny new server!