Blog

How to install Ubuntu 20.04 with full disk encryption

Introduction

The installimage script in the Hetzner Rescue System provides an easy way to install various Linux distributions.

This tutorial shows how to use installimage to install an encrypted Ubuntu 20.04 system and add remote unlocking via SSH (dropbear) in initramfs stored in a separate /boot partition.

Prerequisites

  • Hetzner account
  • Server booted into the Rescue System
  • RSA or ECDSA SSH public key
  • No private networks attached on Hetzner Cloud

Step 1 – Create or copy SSH public key

In order to remotely unlock the encrypted system SSH key is required. This key will also be used to later login to the booted system. The dropbear SSH daemon included in Ubuntu 20.04 only supports RSA and ECDSA keys. If you do not have such a key, you need to generate one.

For example to generate a 4096 bit RSA SSH key run:

ssh-keygen -t rsa -b 4096

Copy the public key to the rescue system, e.g. using scp:

scp ~/.ssh/id_rsa.pub root@<your-host>:/tmp/authorized_keys

Step 2 – Create or copy installimage config file

When installimage is called without any options, it starts in interactive mode and will open an editor after a distribution image has been selected. After exiting the editor, the installation will proceed and the corresponding configuration is saved as /installimage.conf in the installed system. In this tutorial we will pass such a configuration file to install directly.

Create a file /tmp/setup.conf with the following content or copy it to the server in the Rescue system.

Note: Replace secret with a secure password and adjust drive names and partitioning as needed.

CRYPTPASSWORD secret
DRIVE1 /dev/sda
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Ubuntu-2004-focal-64-minimal.tar.gz
SSHKEYS_URL /tmp/authorized_keys

This configuration will install Ubuntu on a single drive (/dev/sda) with a separate unencrypted /boot required for remote unlocking.

Step 3 – Create or copy post-install script

In order to remotely unlock the encrypted partition, we need to install and add the dropbear SSH server to the initramfs which is stored on the unencrypted /boot partition. This will also trigger the inclusion of dhclient to configure networking, but without any extras. To enable support for Hetzner Cloud, we need to add a hook which includes support for RFC3442 routes.

In order to run these additional steps we need a post-install script for installimage

Create a file /tmp/post-install.sh in the Rescue system with the following content:

#!/bin/bash


add_rfc3442_hook() {
  cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh

PREREQ=""

prereqs()
{
        echo "\$PREREQ"
}

case \$1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/dhclient ]; then
        exit 0
fi

. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions

mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF

  chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}


# Install hook
add_rfc3442_hook

# Copy SSH keys for dropbear
mkdir -p /etc/dropbear-initramfs
cp -a /root/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys

# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

Important note: make the post-install script executable:

chmod +x /tmp/post-install.sh

Step 4 – Start installation

Before starting the installation check again the content of the following files:

  • /tmp/authorized_keys – your public SSH key (RSA or ECDSA)
  • /tmp/setup.conf – installimage config
  • /tmp/post-install.sh – is executable and contains the post-install script

Now you are ready to start the installation with the following command:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Wait until the installation completes and check the debug.txt for any errors.

Step 4.1 – Possible problems

If you see an error message related to device-mapper, you may need to re-create the initramfs, otherwise you will not be able to unlock the encrypted partition.

mount /dev/mapper/luks-* /mnt/
chroot-prepare /mnt ; chroot /mnt
update-initramfs -u

Step 5 – Boot installed system

After the installation has finished and any errors are resolved, you can run reboot to restart the server and boot the newly installed system. You can watch the boot process if you have a KVM attached or via remote console on a Cloud instance.

After some time the server should respond to ping. Now login via SSH into dropbear and run cryptroot-unlock to unlock the encrypted partition(s).

$ ssh root@<your_host>

BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6.3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cryptroot-unlock 
Please unlock disk luks-80e097ad-c0ab-47ce-9302-02dd316dc45c:

If the password is correct the boot will continue and you will automatically be disconnected from the temporary SSH session.

After a few seconds you can login to your new system.

Repint:https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption

Posted

in

by

admin

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *