Hetzner VPS with full-volume encryption and Btrfs subvolumes

⚠️ THIS GUIDE WILL WIPE YOUR DRIVE!

This guide is inspired by Hetzner’s documentation found here. The main difference is that we’ll be using Btrfs with subvolumes, and we’ll be installing the newer, Ubuntu 22.04 instead of 20.04. There’s also some additional information in the end about SSH key fingerprints and fixing SSH client issues.

First thing you’ll have to do, is order a VPS (server with Hetzner Cloud). In theory, you can use an existing server, but THIS SETUP WILL DELETE ALL YOUR DATA.

Then, once you have the server, you have to go to the “Rescue” tab and activate the rescue system and reboot to it (there’s a button to do both in one go).

Now SSH into the server with the rescue system booted, and run the following comands:

touch /tmp/authorized_keys
chmod 600 /tmp/authorized_keys
touch /tmp/setup.conf
touch /tmp/post-install.sh
chmod +x /tmp/post-install.sh

Now you’ll want to edit the following 3 files, each with:

nano /tmp/authorized_keys
nano /tmp/setup.conf
nano /tmp/post-install.sh

Into /tmp/authorized_keys, you’ll put in your SSH public keys (this is a must to sign in later!)

Into /tmp/setup.conf you’ll put in:

CRYPTPASSWORD secret
DRIVE1 /dev/sda
BOOTLOADER grub
HOSTNAME host.example.com
PART   /boot    ext4 1G
PART   btrfs.1  btrfs all crypt
SUBVOL btrfs.1  @           /
SUBVOL btrfs.1  @home       /home
IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

Make sure to replace CRYPTPASSWORD with your encryption key and HOSTNAME with your actual hostname.

Into /tmp/post-install.sh you’ll put in (credit goes to the guide I linked at the beginning):

#!/bin/bash


add_rfc3442_hook() {
  cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh

PREREQ=""

prereqs()
{
        echo "\$PREREQ"
}

case \$1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/dhclient ]; then
        exit 0
fi

. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions

mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF

  chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}


# Install hook
add_rfc3442_hook

# Copy SSH keys for dropbear
mkdir -p /etc/dropbear/initramfs
cp -a /root/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys

# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

Finally, you run:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

That’s it! You got a fully encrypted root volume with Btrfs and subvolumes! Now you can reboot and SSH to unlock using your specified encryption key!

After connecting with SSH, run:

cryptroot-unlock

Then you will be disconnected as it continues the boot process, then you can SSH into it again.

If you get troubled with SSH key fingerprints (because the boot process and the actual OS have differing fingerprints), check out my other guide, specifically the “Fix SSH clients” section.

Server encryption with remote SSH unlock

Hetzner VPS with full-volume encryption and Btrfs subvolumes

⚠️ THIS GUIDE WILL WIPE YOUR DRIVE!

I run this blog in my free time. If this guide helped you out, consider donating a coffee! :D

About the Author: Sindastra

Leave A Comment Cancel reply

Hetzner VPS with full-volume encryption and Btrfs subvolumes

⚠️ THIS GUIDE WILL WIPE YOUR DRIVE!

I run this blog in my free time. If this guide helped you out, consider donating a coffee! :D

Share this post:

About the Author: Sindastra

Leave A Comment Cancel reply