Remotely Encrypt a Debian Server

These notes may help you in the case where you need to install a server without ever having access to the console. In this case the OS is also pre-installed, either by an automated system or by the server provider.

The plan is to get a base server OS installed on a small partition, for example Debian Squeeze, on less than 1GB, I used 666M and that works fine. From that system we can create our new encrypted partitions and move the system over there. And at last we'll setup an initramfs with busybox and SSH access, from there we can SSH to the server and decrypt the partition(s) we need to boot.

NOTE: This is tested on Debian Squeeze.

Install the server

A minimal partition should be as follows, edit this to suit your needs: /dev/sda1 /boot 256M # this partition will be kept /dev/sda2 / 1GB # used only to setup the main OS No swap, we don't need another partition to recycle somehow and later our swap will be encrypted of course. As for the root partition, you can make it smaller or bigger depending on how you want to re-use it (backupOS with backup website, or tools etc.. or /tmp, etc etc).

Note, in this example I will be using 2 hard drives configured using software Raid1, so for me it looks like this: /dev/md0 /boot 256M # this partition will be kept /dev/md1 / 666M # used only to setup the main OS

Along this page I'll put in bold things that may differ, or things for which you can chose your own string.

Install softwares

We don't really need much, just busybox, cryptsetup and dropbear from Debian and then Early-SSH.

apt-get install busybox cryptsetup dropbear

Check for the latest version of Early-SSH I used 0.2. Early-SSH will setup the whole business of getting dropbear to listen at boot.

wget dpkg -i early-ssh_0.2_all.deb



This had akward effects like not working for me, so to avoid ball breakage edit /etc/default/cryptdisks: CRYPTDISKS_ENABLE=No


We first need to fix a minor issue in /etc/initramfs-tools/hooks/early_ssh (if you are using /bin/dash for example). Edit /etc/initramfs-tools/hooks/early_ssh and change: /bin/sh to: /bin/bash

Next we need to configure the network, and perhaps disable the timeout (that's up to you). Edit /etc/early-ssh/early-ssh.conf and use your server's IP config: INTERFACE="eth0" IP="" PORT="22" NETMASK="" GATEWAY="" TIMEOUT="" # in seconds (empty means disabled)

Update initramfs

Any time you may change any of the above, if so you will need to generate a new initramfs, easily done via: update-initramfs -u Even after some of the changes below this will be necessary, we will redo this step.

Sometimes update-initramfs -u says "update-initramfs: /boot/initrd.img-2.6.32-5-686-bigmem has been altered", well it also says: "update-initramfs: Cannot update. Override with -t option", in those cases try:

update-initramfs -u -t

Testing the boot process

At this point the server should first boot into busybox and dropbear should be serving access, we should test this to be sure all is fine; Let's reboot. reboot Now when your server comes back up (let's assume it does :]) you should be able to log into via SSH using your root username:password, the same as on the main system, yes.

You should be logged into busybox, if you want you can look around, otherwise to continue simply execute: finished This will continue the boot process (and log you out). After a few seconds you can log back in, this time back to your Debian system.

Creating encrypted partitions

In this example I will use RAID 1 and LVM, if you only want to use one or the other, or even regular partitions then this should also work though you may need to simplify the following. In any case this won't be mega detailed as it's beyond the scope of this page.

Raid 1

Create 2 partitions of the same size, let's say sda3 and sdb3. Then assemble them as follows: (you might need to reboot to use your newly created partitions)

mdadm --create --verbose /dev/md2 --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3

Of course mdadm.conf is likely to be empty, if so:

mdadm --examine --scan --config=partitions >> /etc/mdadm/mdadm.conf

Encrypt it!

replace "md2" by whatever you chose to use as your target encrypted partition.

cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/md2

LVM it

You don't have to, you can just use sda3, sda5, etc etc, however in this case you will only need to manage one encrypted file system and hence only one password to type and so on.

Decrypt it first

Before manipulating our encrypted partition, we need to decrypt it, in my case I will decrypt the device as /dev/mapper/crypted-raid (pick whatever you want):

cryptsetup luksOpen /dev/md2 crypted-raid

Create the LVM device

First make /dev/mapper/crypted-raid an LVM device, then create an LVM group vga using it.

pvcreate /dev/mapper/crypted-raid vgcreate vga /dev/mapper/crypted-raid

Create the partitions

Here is a sample simple config, because it's LVM you can change your mind later.

lvcreate -L5G -nroot vga mkfs.ext3 /dev/vga/root lvcreate -L20G -nhome vga mkfs.ext3 /dev/vga/home # Example for swap lvcreate -L3G -nswap vga mkswap /dev/vga/swap

Copying the OS

If your system is pure and simple and nothing else has been installed, no activity basically, then you can do this from here:

mkdir /mnt/NEW/ mount /dev/vga/root /mnt/NEW mkdir /mnt/NEW/home mount /dev/vga/home /mnt/NEW/home cp -a /root/ /bin/ /etc/ /lib/ /opt/ /sbin/ /selinux/ /srv/ /tmp/ /usr/ /var/ /home/ /vmlinuz /initrd.img /mnt/NEW/ cd /mnt/NEW mkdir boot dev media mnt proc sys

Don't umount it yet...

New fstab

Edit the NEW fstab in /mnt/NEW/etc/fstab:

note: if you want to use UUIDs you can get them like this: blkid /dev/vga/* I'll use a bit of both here (for some reason I don't yet understand.

# old system #/dev/md1 / ext3 defaults 0 0 /dev/vga/root / ext3 defaults 0 0 /dev/vga/home /home ext3 defaults 0 0 # swap /dev/vga/swap swap swap defaults 0 0 UUID="8d990ccd-6f7c-498b-a729-527825cb7b78" swap swap defaults 0 0


Now let's edit /boot/grub/grub.cfg and replace the root with your LVM/encrypted root partition:

linux /vmlinuz-2.6.32-5-686-bigmem root=/dev/mapper/vga-root ro

update-initramfs -u

For the changes made to the raid configuration it helps to do this, else you'd have to reassemble the encrypted raid.

update-initramfs -u

Moment of truth

You can now reboot and you should be greeted by busybox shortly, as we've tested this I am guessing that's fine. We'll need to do a few things to make our filesystem available.

/sbin/mdadm -A --scan /sbin/modprobe dm_mod /sbin/cryptsetup luksOpen /dev/md2 crypted-raid /sbin/lvm vgchange -a y

If everything went well we can continue the bootup. If you'd like to confirm, check that you have your LVM partitions ready:

ls /dev/vga

You should see your LVM partitions. Now we are good to go:


In a few seconds you should be on your new and fully encrypted system.

Add a Busybox script

Instead of remembering those lines of things to type we can easily add a script to busybox like this (remember to make sure it suits your setup)

Create a new file like /usr/share/initramfs-tools/scripts/prepare_my_stuff and put inside the lines we just typed in busybox's console: #!/bin/sh /sbin/mdadm -A --scan /sbin/modprobe dm_mod /sbin/cryptsetup luksOpen /dev/md2 crypted-raid /sbin/lvm vgchange -a y finished Make it executable: chmod +x /usr/share/initramfs-tools/scripts/prepare_my_stuff and update initramfs (always this guy). update-initramfs -u Next time you can you log into your busybox all you need to do is type: /scripts/prepare_my_stuff


These pages helped me out.




using the mdadm --create command i encountered the error :

mdadm: super1.x cannot open /dev/sda3: No such file or directory
mdadm: ddf: Cannot open /dev/sda3: No such file or directory
mdadm: Cannot open /dev/sda3: No such file or directory
mdadm: device /dev/sda3 not suitable for any style of array

In order to resolve this, i first installed "parted" and executed "partprobe" then it worked out.
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).