A month ago I have discovered new world of cheap dedicated servers. If you hear a term “Dedicated Server” you probably imagine powerful machine located in a data-center and with price around $60/month or more. But nowadays you can rent something less expensive, from $6 to $15, with 0.5-1TB drive and unlimited traffic. It is ideal solution for personal data warehouse, own e-mail server f course nowadays (especially after Snowden affair) security of stored data is important. Secured lines and encryption is now essential. But because you do not have a physical access to the server encryption can be difficult because you have to “unlock” encrypted container during boot and it is usually done by typing password on the server physical console or by a dongle inserted to the server. Nothing from that is possible with remote access only.. But several days ago I found great idea how to solve this problem on the Internet. The Encrypted Linux Dedicated Server with drive unlocked remotely by SSH temporary login. I tried to configure my server and it works flawlessly!
At the beginning I have to say that you can find many very similar or simple copy/pasted posts about the topic on the Internet. But no one fit all my needs or works without problems.
Due this I have prepared my own recipe compiled from many resources and I have made decision to publish it on my site to give chance to other users to save time necessary for research how to fix some problems or annoyances. I can’t make impression that whole recipe is my own research and push original authors to the dark. You can find all my resources at the end of the post and you can use it for your own research. Of course you can do this with my post too.
Where to Get the Server
After the short introduction we can start with real work. First requirement is to get your own server somewhere in the Cloud. One of the best options is to get the server from the Kimsufi provider. But problem with the Kimsufi is that you have to “hunt” your own server because number of customers waiting for the server is much bigger then number of available devices. So you have to use some tools and check Kimsufi pages carefully to get own server. But it’s possible. I had used same way and have been successful.. 🙂
Next option can be ServDiscount, with little bit higher price, but you can choose your device quickly and easily. Finally I can mention Hetzner site, where you can get your server in auction of abandoned devices. If you have another nice provider with offer of chap dedicated servers, let me know in discussion below.
When we have access rights to the new server, we can proceed with configuration. All providers offer a one click installation of a Linux distribution. But this option is not easy to use for our purposes – to modify it for full encryption. Instead of the one click installation we have to boot the server to the Rescue Mode to get full access to the hard-drive and connect to the server remotely with SSH. This option is offered by all providers because it allows to fix some problems with device remotely. For example when kernel update blocks the server to boot. So boot to the Rescue Mode and when you are logged-in we can proceed with next step.
When we have the SSH access we must detect the hard-drive and modify its partition scheme. To display the disk scheme, use for example this command:
# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 931.5G 0 disk |-sda1 8:1 0 931.5G 0 part /root
Here we can see that the main hard-drive is here known as sda with one main partition sda1. Main purpose of the command was to detect the drive name, in our case sda. Now we have to re-partitioning the drive for encrypted LVM purposes.
!!WARNING!! These steps completely destroy any data on the drive so be sure that you will not lose anything important!!!
Use the fdisk command to create new partition table:
# fdisk /dev/sda
The fdisk use something as text based menu, so we have to provide several steps in right order and then write new partition table to the disk.
- Empty the current table by command (o)
- Create new primary partition 1
- command (n)
- primary (p)
- Number 1 (1)
- Default first sector (Enter)
- specify size (+250M)
- Create new primary partition 2
- command (n)
- primary (p)
- Number 2 (2)
- Default first sector (Enter)
- Default last sector (Enter)
- Make partition one bootable
- command (a)
- Number 1 (1)
- Verify result by print the table command (p)
- Write new table to the disk command (w)
Now verify the result again to be sure that everything is ok.
# fdisk -l /dev/sda ......... Device Boot Start End Blocks Id System /dev/sda1 * 2048 514047 256000 83 Linux /dev/sda2 514048 1953525167 976505560 83 Linux
If you see something similar, you can continue with creating encrypted disk space. But before that we can improve the strength of the security by randomization of the disk space
Randomize Disk Space
Due safety reasons is recommended to fill the space for encrypted files by random pattern to make the encryption stronger and disable possibility to analyze patterns on the drive by attacker. This step is optional and can be time consuming (hours or days) but I don’t recommend to skip it.
Best solution to do that is to use the Screen application – the full-screen window manager that multiplexes a physical terminal between several processes. With the Screen you can start any process inside it, then detach from the console and let it run in the background. Even you disconnect your SSH session, the Screen is still running with all tasks fired inside it. You can anytime connect to the server by SSH, attach back to the Screen console and check the task progress.
To start your Screen session type the screen command on the console and press enter. Then try to run any command – for example date
# screen # date Thu Dec 17 14:12:04 CET 2015 #
Now press the Ctrl+A and then D. This will detach you from the actual Screen session
The result of the date command now disappear and you can see something like this:
detached from 1381.pts-0.xxxx
Important thing here is a number – in our case 1381 – it is the running screen session number
# screen -r 1381
If everything goes well, you can see again the result of the date command because you has been attached back to the running Screen console session. Of course you can fire simultaneously multiple sessions. Just type screen again when you are detached from the Screen console. It fires a new clean session for you. To get list of active running Screen sessions just type:
# screen -ls There are screens on: 4572.pts-0.cloud (12/18/15 15:54:04) (Detached) 1381.pts-0.cloud (12/17/15 13:26:21) (Detached)
Then you can attach back to the selected Screen console with selected session number by same way as described above.
With the Screen command knowledge we can fill the partition with random numbers in the background task. Just type this inside the Screen session:
dd if=/dev/urandom bs=4k of=/dev/sda2
This will start filling the second partition (where an encrypted system will be created) by random numbers. Because it can takes long time you can improve this command by monitoring progress of the filling process. To do this correctly you have to know approximated size of the filling partition. Use the lsblk command and read the sda2 partition size here. In my example it is 931.5G.
When you know the partition siz modify the command for partition filling by this way:
dd if=/dev/urandom bs=4k | pv --size=932G | dd of=/dev/sda2 bs=4k
The pv command will show you how many bytes goes through it and the –size parameter allows to the pv command to calculate how many percent of the operation is already done.
Now you can detach from the Screen session and wait expected time (in my case more than 24 hours) to finish randomization process. You can check progress time by time of course.
When the task is finished the server is ready for creation of the encrypted space.