Encrypted Linux Dedicated Server or VPS


First of all you have to check if the Rescue system supports the Debootstrap command and have the wget tool installed. Try this in the console window:

# debootstrap
I: usage: [OPTION] ... &ltsuite&gt &lttarget&gt [&ltmirror&gt [&ltscript&gt]]
I: Try `debootstrap --help' for more information.
E: You must specify a suite and a target.
# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

I have checked two server providers and on both of them those commands are available by default but if you are not lucky then you have to install them manually to your rescue mode.

# apt-get update
# apt-get install debootstrap
# apt-get install wget

With these tools ready we can continue with preparations for the Debootstrap. To allow the Debootstrap tool to verify downloaded data and check if are not corrupted or modified by an error or an attacker we have to download Ubuntu gpg public keys. These keys signed all Ubuntu packages and protect them against modifications. To download keys please use this command:

# wget http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg

This will download the ubuntu-archive-keyring.gpg file to your home directory. Copy the file now to destination folder by this command:

# cp ubuntu-archive-keyring.gpg /usr/share/keyrings/

As alternative you can use the keyring file directly in the bootstrap process by parameter –keyring but it doesn’t work well for me.

Anyhow if you see any of that messages during the debootstrap process:

W: Cannot check Release signature; keyring file not available ....
E: Release signed by unknown key (key id xxxxxxx)

then the keyring is not downloaded or specified correctly and you have to fix it.
Now is time to start the debootstrap process. It puts all necessary files for OS root to /root partition now mounted in the /srv_root folder. To do that, just type:

# debootstrap --arch amd64 --keyring ./ubuntu-archive-keyring.gpg trusty /srv_root http://archive.ubuntu.com/ubuntu/

If you want to install the 32bit architecture instead the 64bit then use the i386 as the –arch parameter. The amd64 specifies 64bit architecture. The ‘trusty’ parameter specifies that we can install the Ubuntu 14.04 LTS (Trusty Tahr). It is latest LTS version at time when I write this article. You can of course install different Ubuntu version by change the parameter – for example for 15.10 use ‘wily’ instead of ‘trusty’ here. The –keyring parameter specify file with public gpg keys to verify packages integrity and have to be specified as full path, or with current folder ‘./’ prefix. If you copied the keyring to the /usr/share/keyrings/ folder, you don’t need to specify this parameter.

Chroot and Base Config

Now we can switch our session to chroot environment. It is something like virtual access to the OS of our server as it will be booted directly by hardware in the future. This allows to install additional pieces of software and modify configuration files on the server OS instead of modify the Rescue Mode OS files.
First step to successfully enter the chroot environment is to mount special filesystems ( dev, proc, sys ) to the root filesystem of the server OS:

# mount -o bind /dev /srv_root/dev
# mount -t proc proc /srv_root/proc
# mount -t sysfs sys /srv_root/sys

When we are done, we can enter the chroot environment by this command:

# XTERM=xterm-color LANG=C.UTF-8 chroot /srv_root /bin/bash

Now welcome into the chroot environment of the server. Since this time all commands typed to the console will modify the server filesystem and configuration instead the Rescue OS environment.

First of all, create the symbolic link from /etc/mtab to /proc/mounts.

# ln -sf /proc/mounts /etc/mtab

This avoid problem if the root filesystem ( / ) is mounted as Read Only and the /etc/mtab is outdated. This symlink grants that /etcv/mtab is always up to date.

Next good idea connected with filesystems is to force the server to make filesystem checks on each boot. Especially on the server without physical control it can be very good idea. To enable that behavior type this command in the console

# echo FSCKFIX=yes >> /etc/default/rcS

Next essentials thing is to generate appropriate locale files otherwise lot of next steps will be complaining about wrong locale settings.

# locale-gen en_US.UTF-8
# update-locale en_US.UTF-8

Next step is to configure the server clock. Linux servers use usually the UTC time in the hardware clock then we have to set OS to reflect this fact. To do that create file /etc/adjtime by this command:

# echo -e '0.0 0 0.0\n0\nUTC' > /etc/adjtime

Set appropriate time zone for the server by this command:

# dpkg-reconfigure tzdata

Now is granted that files created or modified on the server will have correct time-stamps.

Because lot of configuration steps will be provided by modification of text configuration files then can be nice if you can use the favorite text editor to do that. My preference is vim so I’m installing it immediately. Install whatever you like here instead of vim if it is not your cup of tea.

# apt-get install vim

Now we have to inform system about the encrypted block device with our partitions and create record about it in the /etc/crypttab file to allow OS correctly handle it. To do this we will need the GUID stored before during LUKS setup. The record will be created by this command:

# echo 'sda2_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks'  > /etc/crypttab

where string xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx must be replaced by previously stored LUKS GUID.

Next step is to create /etc/fstab file to allow correct mount of partitions to root filesystem. Each partition is described by one line here. If you do not modified parttion scheme during this how-to you can create file with this content directly:

# file system   mount point type    options             dump    pass
LABEL=root      /           ext4    errors=remount-ro   0       1
LABEL=tmp       /tmp        ext4    rw,nosuid,nodev,noexec     0       2
LABEL=srv       /srv        ext4    rw,nosuid,nodev     0       2
LABEL=boot      /boot       ext4    rw,nosuid,nodev     0       2
# Alternative home in /srv:
#/srv/home      /home       auto    bind                0       0

#******** END of FSTAB

Last two lines are commented out but when are enabled then you can allow to move home folder from / to srv partition where all other data reside.
The /tmp partition is mounted as non-executable because some attack techniques against the server tries to create a file here and then run it to finalize the attack. It is the reason why I always mount /tmp folder to standalone partition.


To configure networking correctly you need to know the server assigned IP address and other network parameters. It is defined by the server provider and you can find it in the server administration very often.

You have to know:

  • Server IP address ( example: )
  • Network gateway IP address( example: )
  • Network mask ( example: )
  • Your domain name ( example: mydomain.dom )
  • Your server host name (example: myserver )
  • DNS server addresses (can be replaced by generic Google DNS,

When you have collected all necessary pieces of information you can create networking configuration. At first we define the short and full hostname. Type these commands and replace example values by real names:

# echo 'myserver' > /etc/hostname
# echo ' myserver.mydomain.dom myserver' > /etc/hosts

At next create the file /etc/network/interfaces with this content and replace example values from above by your real values:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   dns-search mydomain.dom
   pre-up /sbin/ip addr flush dev eth0 || true

The last line beginning by pre-up… is necessary here to grant correct network initialization when main system is booted after unlocking by busybox environment. Please leave it here without any change.

Now you can verify the hostname. Type this:

# hostname -f

Instead of myserver.mydomain.dom you have to see your full server name (hostname and domain).


1 2 3 4

Posted by:

Zdenek Polach

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top