Encrypted Linux Dedicated Server or VPS

Encrypt the Server Space

Now we can continue with configuring the server encrypted disk space. This will hold operating system and sensitive data. For the disk encryption the Linux offers technology called LUKS – Linux Unified Key Setup. This allows to encrypt the disk space transparently and use the encrypted space as classical disk partition but protected by strong cryptography.
To configure the encryption on the sda2 partition, use the cryptsetup command with these parameters:

# cryptsetup luksFormat --hash sha512 --key-size 512 --cipher aes-xts-plain64 --verify-passphrase --iter-time 3000 /dev/sda2

You will get a confirmation question and then th password query:

This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

Be sure to type YES here in uppercase as response on the overwrite confirmation question because otherwise the command will fail.

Deep explanation of the cryptsetup command parameters is beyond the scope of the article. If you have any recommendation or notice please let me know in discussions below the article. I refined possible options to my selection above but you can use whatever you want and what better fit your needs.
From my point of view is necessary to use a strong hash algorithm as the SHA256 or the SHA512 hash for the password hashing because other hashes are nowadays declared as weak or deprecated (MD5, SHA1 etc.) As encryption algorithm I have selected the aes-xts because AES is declared as standard for high security now and also is supported by new processors hardware so it is quick. Finally I recommend to set the iteration time as high as is acceptable for you because it makes brute force password guessing more time consuming. But of course the same time takes to unlock the partition with your right password.
When we mention the password then many recommendations how to create secure and complex password can be found on the Internet. By my opinion 20-25 complex characters is now minimum for good data protection. Select here whatever you find suitable and comfortable for you.

Now dump the LUKS partition UUID and store it for future use:

# cryptsetup luksDump /dev/sda2 | grep UUID:
UUID:           xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Instead of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx you will see the real UUID of the partition. Copy that for use in next steps please.

Finally unlock the partition to verify the encryption setup and allow next configuration steps:

# cryptsetup luksOpen /dev/sda2 sda2_crypt
Enter passphrase for /dev/sda2:

Select the Right Partitioning Scheme

Before next steps we have to make decision about the partition scheme of the server. My experience is that each person has different opinion about that. Of course we have to create swap and root / partitions in all cases, but then somebody say that it is enough, somebody else needs separated partitons for /home /var etc…
By my opinion the schema vary based on the server usage purpose. Different schema is suitable for web/mail server, different for server with many users simultaneously logged in and different for the data warehouse. Of course can be good idea to have some flexibility here, if a new requirement will rise up. Due this I have selected the logical disk volume (LVM) mechanism because it is easy configurable and allow on the fly flexibility in the disk layout design. Due security purposes I have used separate temp partition to allow mount it as non-executable. And then I separate system files from my data (it allows better backup possibilities if necessary) so I have root partition for operating system files and srv partition for all my real data.

Here is my server partition scheme:

  • root – 15GB
  • tmp – 250MB
  • swap – (2 x real server memory size)
  • srv – rest of the free disk space, or something around 70% of the free space to leave a reserve for future LVM modifications.

Of course you can modify the scheme to fit your needs and habits.

Create the Server Logical Partitions

Now we can continue with LVM and server partitions. At first we have to create the physical volume on the LUKS encrypted sda2_crypt partition. To do this simply type:

# pvcreate /dev/mapper/sda2_crypt

When the physical volume is created we can continue with creation of a Volume Group. The Volume Group with a name sgrp will contain only one previously created physical volume now.

# vgcreate sgrp /dev/mapper/sda2_crypt

Finally, we will create logical partitions based on the schema described above on the sgrp volume group:

# lvcreate -L 2G -n swap sgrp
# lvcreate -L 15G -n root sgrp
# lvcreate -L 250m -n tmp sgrp
# lvcreate -l 70%FREE -n srv sgrp

Finally you can verify the result by command:

# lvs
  LV   VG    Attr      LSize   Pool Origin Data%  Move Log Copy%  Convert
  root sgrp  -wi-ao---  15.00g
  srv  sgrp  -wi-ao--- 600.25g
  swap sgrp  -wi-a----   3.00g
  tmp  sgrp  -wi-ao--- 251.00m

Create Filesystems

With partitions created we can continue to create appropriate filesystems on those partitions to allow mount them and store files on them. Here you can select from many options too but I’m conservative and use ext4 filesystem here. The ext4 filesystem is used by many distributions by default and it is de-facto standard for the Linux filesystems in those days. Exception here is the swap which must use the swap filesystem and /boot partition where I use ext2 because journal and other advanced features of the ext4 FS are not necessary here and ext2 can be handled easily during recovery process when something goes wrong.
Use those commands to create appropriate filesystems:

# mkfs.ext2 -L boot /dev/sda1
# mkswap -L swap /dev/mapper/sgrp-swap
# mkfs.ext4 -L root /dev/mapper/sgrp-root
# mkfs.ext4 -L tmp /dev/mapper/sgrp-tmp
# mkfs.ext4 -L srv /dev/mapper/sgrp-srv

Access Disk from Rescue Mode When Necessary

This step can be necessary if you need to boot the server to the Rescue mode again and fix something from this environment or you have to break the configuration process and continue again later. During tune-up process of this How-To I have to do this many times. In this case you have to only unlock the LUKS manually and activate the Volume Group sgrp but don’t create partitions etc again. Repeat partition creation cause to lost all your work previously done!

When you boot the Rescue Mode again, just type these commands:

# cryptsetup luksOpen /dev/sda2 sda2_crypt
Enter passphrase for /dev/sda2:

# lvm vgchange -a y

You will get the same state as you had after step Create Filesystems and you can continue with mounting partitions and entering chroot environment. Of course, you have to skip the debootstrap here too.

Mount Logical Partitions

To allow to create or modify files on previously created partitions, we have to mount them to same way how they will be used by the server OS in the future. But because we are in the Rescue Mode now, we have to create entry point where the root of the server OS will be mounted. Create the folder /srv_root for this and mount the root partition to this folder:

# mkdir /srv_root
# mount /dev/mapper/sgrp-root /srv_root

When we are doing this first time, we have to create appropriate folders inside the server root. This step have to be one only once, but if you try to do that again you will not get nothing worse then error message.

# mkdir /srv_root/boot
# mkdir /srv_root/tmp
# mkdir /srv_root/srv

Now mount rest of partitions to newly created folders:

# mount /dev/sda1 /srv_root/boot
# mount /dev/mapper/sgrp-tmp /srv_root/tmp
# mount /dev/mapper/sgrp-srv /srv_root/srv

Now activate the swap:

# swapon /dev/mapper/sgrp-swap

And finally set appropriate rights for the /tmp folder:

# chmod 1777 /srv_root/tmp

Now all server partitions are correctly mounted and prepared for next config steps.

1 2 3 4

Posted by:

Zdenek Polach

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top