Header Ads

Encrypt Cloud Servers using LUKS Crypt on Debian/Ubuntu

In previous post, we discussed Encrypting Hard Drives using LUKS crypt. In this post, let's look at encrypting cloud servers using LUKS crypt. 

This works the same way as a fresh installation of Debian distro on your PC. In this guide, we'll use 3-rd party service providers like VULTR and Linode to discuss the possibilities.

LUKS encryption on cloud servers


A. Installing Debian 10.3 Buster With LUKS Crypt on Vultr

Most cloud service providers allow booting the machine with custom ISO's. On Vultr, it is simple as clicking few buttons.

Following steps are to setup Debian buster with full disk encryption.

1. "Deploy" a new server/"compute" with suitable configuration and Debian as ISO.

2. Once the server is launched, visit "Settings" and click "Custom ISO" and select Debian 10.3 and click attach. It should appear as shown in below image.

Custom ISO

3. Reboot the server, and click the "View Console" icon on top-right to open browser console access.

4. Welcome-screen of Debian installation should appear. Proceed with "Graphical Install".

5. On next page enter the hostname for the system. This could be FQDN (like example.com) or anything else. 

6. On next page, leave networking as it is.

7. Setup root passwords on next page.

8. Create a limited user account, and enter username and passwords for the same. We'll later login using this account to enable root access.

9. On next page, choose "Guided- use entire disk and set up encrypted LVM" as shown below.

encrypted LVM

10. Select the disk to partition and click continue.

11. For partitioning, choose "All files in one partition" or other as required. Single partition is recommended for new users.

12. Select 'yes' to "write changes to the disk and configure lvm" and it should start erasing the disk. This process takes considerable time depending on your server capacity.

13. Enter the encryption passphrase for the LUKS partition. This password will be used to decrypt the disk everytime it's reboots.

14. Select default full disk space in next step and click continue.

15. Confirm the selection in next step by selecting "Finish partitioning" and click continue as shown below.

partitioning

16. On next page, select 'yes' to write changes to the disk and now it will start installing the system.

17. On the next prompt 'scan another cd', choose 'no' since we don't require that.

18. Use default archive mirror in package manager and click continue.

19. For HTTP proxy leave blank and click continue and it should start installing the software.

20. On next page, choose the software required. For web-server, only "SSH server" and "Standard .. utilities" is required. If you need GUI access, check "Debian desktop ..". 

Debian desktop
21. On next step, select 'yes' to install GRUB boot-loader and it will start installing GRUB and initramfs.

22. On next step, select /dev/vda to install the GRUB and click continue to finish installation.

finish installation

23. Once installation is complete, close this no-vnc window and remove the custom ISO from the Vultr control panel, and reboot the server.

24. Open the no-vnc console again like before, and enter the "encryption passphrase" to unlock disk. This will boot the system and ask for login.

25. Login using the limited access user account and password to enable root ssh access.

25.1 Switch to root mode by entering following command and entering the password set in step 7.

`su -`

25.2 Open ssh config

`nano /etc/ssh/sshd_config`

25.3 And add the flowing lines to login ssh using root user

`PermitRootLogin yes

PasswordAuthentication yes`

26. Now you can login using your terminal to access the server using root credentials. 


IMPORTANT:! 

  • Allowing root ssh access with clear-text passwords is not secure. In our previous post, we've discussed key-based SSH authentication
  • To change root/user password, use passwd command. Use su - to switch to root and su exampleuser to switch to limited user
  • Installing fail2ban as mentioned in our previous post is another good security measure.
  • Change LUKS password following our previous post on LUKS crypt.



B. Installing Debian 10 Buster With LUKS Crypt on Linode

Installing on Linode or any other cloud service provider can be attempted using the first method. However, Linode has their own guide for LUKS on debian. 

Visit following archived link to Install Debian 8 on a Linode server.  http://web.archive.org/web/20190906123530/https://www.linode.com/docs/security/encryption/use-luks-for-full-disk-encryption/

Once installed, network has to configured manually for Linode. Enter following commands on their browser glish console after logging into your server.

To check for available interfaces and routes

`ip a`

`ip r`

Update networking and resolv conf (get ip and gateway from Linode dashboard)

`nano /etc/network/interfaces`

Sample interface conf is shown below.

`source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp0s3
allow-hotplug enp0s3

iface enp0s3 inet6 auto

iface enp0s3 inet static
address 172.104.229.106/24
gateway 172.104.229.1`

Update resolver config file

`nano /etc/resolv.conf`

Sample resolv conf is shown below. Update as required.

`search members.linode.com
domain members.linode.com

nameserver 139.162.130.5
nameserver 139.162.137.5
nameserver 139.162.138.5
nameserver 139.162.139.5

options rotate`


Enabled and restart conf

`ifdown -a && ifup -a`

`systemctl restart networking.service`


Check for luks setup status

`ls /dev/mapper/`

`cryptsetup status /dev/mapper/sda5_crypt`


Follow our previous guide to Upgrade to Debian 10 Buster.

No comments