Encrypted Linux Dedicated Server or VPS

Package Manager and Required Packages

Now we configure the Package manager. Ubuntu is Debian-based system and the package manager config resides inside the /etc/apt/ directory.
To handle packages correctly the APT system needs to have a package list of package sources. By the URLs from the list the package manager refresh list of currently available packages and their current versions and based of those pieces of information the package manager allows installation of new or upgrade of current packages. The list resides in the /etc/apt/sources.list file. Ubuntu offers several official package repositories and these are mirrored worldwide by many organizations. Best practice is to set the package manager to use the closest mirrors to the server location. To generate correct list we can use this link: https://repogen.simplylinux.ch/index.php
Select here your location and required Ubuntu version. Be sure to select the Universe repository too because it contains some necessary packages (Dropbear). The page finally generates something like this.

#------------------------------------------------------------------------------#
#                            OFFICIAL UBUNTU REPOS                             #
#------------------------------------------------------------------------------#


###### Ubuntu Main Repos
deb http://cz.archive.ubuntu.com/ubuntu/ trusty main restricted universe 
deb-src http://cz.archive.ubuntu.com/ubuntu/ trusty main restricted universe 

###### Ubuntu Update Repos
deb http://cz.archive.ubuntu.com/ubuntu/ trusty-security main restricted universe 
deb http://cz.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe 
deb-src http://cz.archive.ubuntu.com/ubuntu/ trusty-security main restricted universe 
deb-src http://cz.archive.ubuntu.com/ubuntu/ trusty-updates main restricted universe 

Copy that and paste it to the /etc/apt/sources.list

Additionally modify the package manager to install only required packages – not recommended. It will save disk space and allows better control about server running software. Please type this in the console:

# echo 'APT::Install-Recommends "False";' > /etc/apt/apt.conf.d/02recommends

Now we can install all necessary packages for the server remote unlock mechanism. We can use previously configured package manager.

# apt-get update
# apt-get install makedev cryptsetup lvm2 ssh dropbear busybox-static ssh
# apt-get install initramfs-tools locales grub-pc kbd console-setup
# apt-get install less ntpdate sudo
# apt-get install linux-generic-lts-vivid

BusyBox and Dropbear Configuration

To unlock the server remotely we will use the BusyBox and lightweight ssh server Dropbear with SSH key authentication from the Initramfs. So we have to configure the Dropbear Initramfs config files to allow it’s correct run. The Initramfs config files can be found in the /usr/share/initramfs-tools folder.
At first allow to use the Dropbear as part of the Initramfs. To do that edit the Dropbear hook file and remove comment hashtag from the usage directive:

vim /usr/share/initramfs-tools/conf-hooks.d/dropbear
....
#DROPBEAR=y
DROPBEAR=y

Remove the hashtag from line above and save the file.
Now is necessary to modify the command to run the Dropbear. Default configuration allows all authentication methods include root login with password. This step is missing in all other HowTo posts about the topic and then if the Dropbear is up and running without this mod then brute force attack is possible. Because no strong password is usually set to the busybox root user then it allows to attack the boot environment successfully. To allow only the SSH key authentication and make the Dropbear more secure modify the file:

# vim /usr/share/initramfs-tools/scripts/init-premount/Dropbear

Now locate the line

/sbin/dropbear

and change it to this form:

/sbin/dropbear -s -g -j -k -p 22

The 22 number specify the TCP port where the Dropbear will listen for incomming connections. To protect the boot environment against SSH bot attacks you can change this value to your preferred port.

To grant correct network re-initialization after unlock the main system and boot to them we have to modify next file:

# vim /usr/share/initramfs-tools/scripts/init-bottom/dropbear

append this line to the end of the file:

ifconfig eth0 0.0.0.0 down

To avoid the Dropbear to run in the main system after a full boot we have to remove it from boot process of the main system. It will be managed by this command:

# update-rc.d -f dropbear remove

Now is time to generate SSH key pair and setup Dropbear to use it. If you are not familiar with SSH key authentication you can read my post The Home Server SSH Remote Access where you can find all necessary pieces of information. So prepare the directory and appropriate file content:

# mkdir -p /etc/initramfs-tools/root/.ssh/
# vim /etc/initramfs-tools/root/.ssh/authorized_keys

Paste here the public key and save the file.

Finally when we login remotely to the console by Dropbear we have to unlock the main OS filesystem and continue with boot to it. This will be done by special script. This script is completely taken from the Stinky Parkia blog. You can download the script here (the file is gzipped for security reasons) or copy/paste it from original source to it’s final destination

/etc/initramfs-tools/hooks/crypt_unlock.sh

Now modify rights to the file to make it executable:

# chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Now we have to configure the boot networking environment to allow the BusyBox with the Dropbear to be reachable from the internet. We will need again values used to configure the /etc/network/interfaces file here. Edit the file:

# vim /etc/initramfs-tools/initramfs.conf

And locate here the line beginning with this text:

DEVICE=

Then add next line bellow the DEVICE line:

IP=123.123.123.123::123.123.123.1:255.255.255.0::eth0:off

The line contains networking configuration parameters. First is IP address of the server, second (separated by double colon) is IP addres of the gateway, third is the network mask. Please be case sensitive here and do not provide any spaces. Of course replace my example IP address and gateway values by correct values for your server (see my example above).

Finally we nave to disable the Biosdevname mechanism to disable new network devices naming convention. If we do not do that we risk that network will not work correctly because on some systems (one of mine is good example) the network card will get name em1 and all network configuration will not work. I didn’t find a reason to use these new device names. If you can give to me a reason please let me know by comment. Anyway to disable this mechanism we nave to modify the boot loader grub config file:

# vim /etc/default/grub

Now modify lines GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX to contain this content:

GRUB_CMDLINE_LINUX_DEFAULT="biosdevname=0"
GRUB_CMDLINE_LINUX="biosdevname=0"

If those lines contain additional content, please preserve it if you do not know exactly what it means.

Configuration for the OS boot is now finished so we can create the Initramfs image used for first boot and Dropbear start. This will be done by this command:

# update-initramfs -u

This command have to be used always when you modify anything inside the Initramfs config in the future. So remember this command and run it always when you update the Initramfs environment or update the server kernel.

Create regular user account

Finally I create the regular user account in the main OS environment. This account will be used for login to unlocked and functional server and for the server management. Because the Ubuntu uses sudo mechanism for the administration I’ll not break this rule and configure the server to use sudo too.

At first, select the account name. In my case, it’s srvuser Now create the user account and add it to appropriate groups:

# adduser srvuser
# adduser srvuser sudo
# adduser srvuser adm

Now we can configure the SSH key for the login as the srvuser. You can reuse the same key as for the Dropbear unlock login or use separated key. Considerations about usage of one SSH key for all accounts or separate SSH key for each account are beyond the scope of this post and is up to you what do you choose. Anyway, to configure the SSH login continue with these steps:

mkdir /home/srvuser/.ssh
# vim  /home/srvuser/.ssh/authorized_keys

paste your public key here and save the file. Now continue with setting correct file owner and rights to make the SSH daemon happy and allows it to grant the access to the server:

# chown srvuser:srvuser /home/srvuser/.ssh
# chown srvuser:srvuser /home/srvuser/.ssh/authorized_keys
# chmod 600 /home/srvuser/.ssh/authorized_keys
# chmod 700 /home/srvuser/.ssh

Finally, modify the sshd daemon configuration to allow SSH login and improve security. I not describe it here because I have mentioned this in my previous posts

We are now done with the config steps and is time to let the server fly on own wings. We have to exit the chroot environment unmount filesystems and then reboot the server.
To exit chroot environment type these commands in the console:

# exit
# umount /srv_root/dev
# umount /srv_root/proc
# umount /srv_root/sys
# umount /srv_root/boot
# umount /srv_root/srv
# umount /srv_root/tmp
# umount /srv_root
# swapoff -a
# lvchange -an /dev/mapper/sgrp-*
# cryptsetup luksClose sda2_crypt

Now disable the Rescue mode in the server management console and reboot the server. If everything works fine you will be able to connect by SSH client to the server as root with the Dropbear key. You will see something like this:

To unlock root-partition run unlock


BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Type command for unlock the encrypted disk followed by password after prompt for it:

# unlock
Unlocking the disk /dev/disk/by-uuid/xxxxxx......... (sda2_crypt)
Enter passphrase: 

If you type the passphrase correctly the encrypted disk will be unlocked and server will continue with boot to the main OS environment.
Wait a moment and try to login again but now with key provided for the srvuser account.

Works? Great. Welcome in your own dedicated server with encrypted filesystem. To verify that everything works well continue with some last setup steps.

Final Configuration Steps and Environment Tuning

First one is to set the Network Time Protocol system to make the server internal clock synchronized.

sudo apt-get install systemd-services
sudo apt-get install ntp
sudo service ntp restart

to verify that everything works well use this command and look for info if the time is NTP synchronized or not.

$ timedatectl
      Local time: Tue 2016-01-26 14:54:01 CET
  Universal time: Tue 2016-01-26 13:54:01 UTC
        Timezone: Europe/Prague (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 ..............

Is the time and date correct ? Great!

Finally we have to solve the problem with non-executable /tmp partition… Because the main OS is configured to use /tmp as non-executable partition by default we can get problem to run some scripts when the main OS is up and running. Typical examples of problematic commands are here:

  • update-initramfs -u
  • apt-get

Here is the solution.
For the Initramfs I have created the script to provide the update correctly:

#!/bin/sh
mount -o remount,exec /tmp
update-initramfs -u
mount -o remount,rw,noexec,nosuid,nodev /tmp

For the package manager and it’s apt-get command we can use support included directly in the package manager configuration:

vim /etc/apt/apt.conf

Add here these two lines at the end of the file:

DPkg::Pre-Invoke {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";};

This is final step in this how-to. I believe that you can reproduce all steps easily and now you have own server ready to solve all your tasks. I’ll continue with some server hardening and then I can use it as the OwnCloud storage. If you are interested in stay tuned. I’ll try to provide similar article for OwnCloud configuration soon.

Finally, here is promised list of sources and references used to create this post:

https://blog.tincho.org/posts/Setting_up_my_server:_re-installing_on_an_encripted_LVM/
https://www.linux.com/community/blogs/133-general-linux/830662-how-to-full-encrypt-your-system-with-lvm-on-luks-from-cli
https://fedoraproject.org/wiki/Disk_Encryption_User_Guide#Optional:_Fill_the_device_with_random_data
https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

I can say thank you to authors of mentioned posts because they helped me a lot to make the server up and running.

1 2 3 4

Posted by:

Zdenek Polach

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top