How to install AlmaLinux 10 with full disk encryption

Introduction

The installimage script in the Hetzner Rescue System provides an easy way to install various Linux distributions. It is based on the Guide for Ubuntu.

This tutorial shows how to use installimage to install an encrypted AlmaLinux 10 system. It also explains how to add remote unlocking via SSH in initramfs stored in a separate /boot partition.

This tutorial will use the following example files:

Prerequisites

• Hetzner account
• Server booted into the Rescue System
• RSA, ECDSA or ED25519 SSH public key
• No private networks attached on Hetzner Cloud

Note: This guide is explicitly written for AlmaLinux 10 only. It might not work on other distributions.

Step 1 - Create or copy SSH public key

You will need an SSH key to remotely unlock the disk during boot. You will also use this key later to login to the booted system.

If you don't have such an SSH key, you need to generate one now on your local system. We recommend the use of ED25519 or ECDSA keys.

For example to generate an ED25519 SSH key, run:

ssh-keygen -t ed25519

You have to save the public key of your SSH key pair in /tmp/authorized_keys on the server. The server should already be in the rescue system. Either create the file directly on the server, or copy the public key from your local system using scp:

scp ~/.ssh/id_ed25519.pub root@<your-host>:/tmp/authorized_keys

Step 2 - Create or copy installimage config file

When you run the command installimage on a server in the rescue system without any option, it starts in interactive mode. You would have to select a distribution image. After that, it would open an editor. When you exit the editor, it would start the installation process and the corresponding configuration would be saved as /installimage.conf in the installed system.

When you run the command installimage on a server in the rescue system and add certain options, it starts in automatic mode — meaning it runs the installation without interactive prompts. Below explains how to create a custom configuration file and pass it to the installimage command for use during the automatic installation process.

Create a new configuration file /tmp/setup.conf and add the following content:

Note: Replace secret with a secure password and adjust drive names and partitioning as needed.

CRYPTPASSWORD secret
DRIVE1 /dev/sda
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot/efi esp 256M
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Alma-1001-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

Note: It should also work with RockyLinux 10 (Rocky-1001-amd64-base.tar.gz) and CentOS Stream 10 (CentOS-1000-stream-amd64-base.tar.gz) — but without guarantee.

This configuration will install AlmaLinux on a single encrypted drive (/dev/sda) with a separate unencrypted /boot required for remote unlocking.

Step 3 - Create or copy post-install script

In order to remotely unlock the encrypted partition, we need to install and add the SSH server to the initramfs which is stored on the unencrypted /boot partition.

In order to run these additional steps, we need a post-install script for installimage

Create a file /tmp/post-install.sh in the rescue system with the following content:

#!/bin/bash

add_initramfs_network() {
  mainif="$(ip --json a show up | jq -r 'del(.[] | select(.ifname == "lo")) | .[0]')" # main network interface
  ip="$(echo $mainif | jq -r '.addr_info[0].local')" # main IP
  gw="$(ip --json n | jq -r '.[0].dst')" # gateway
  nn="$(echo $mainif | jq -r '.altnames[0]')" # interface name

  echo -e "kernel_cmdline=\"rd.neednet=1 ip=$ip::$gw:255.255.255.255::$nn:none:185.12.64.1:185.12.64.2:213.239.239.164\"\nadd_dracutmodules+=\" network \"" > /etc/dracut.conf.d/90-network.conf
}

# Update system
dnf check-update >/dev/null
dnf -y install epel-release # install EPEL repo
dnf -y install jq dracut-network dracut-sshd

# Add static network config into initramfs
add_initramfs_network

# Change the port
echo "Port 2222" >> /usr/lib/dracut/modules.d/46sshd/sshd_config
dracut -f -v

Important: Make the post-install script executable:

chmod +x /tmp/post-install.sh

Step 4 - Start installation

Before starting the installation, check the content of the following files again:

Now you are ready to start the installation with the following command:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Wait until the installation completes and check the debug.txt for any errors.

Step 5 - Boot installed system

After the installation has finished and any errors are resolved, you can run reboot to restart the server and boot the newly installed system. You can watch the boot process if you have a KVM attached or via the VNC console in Hetzner Console.

After some time, the server should respond to ping. Login to the default SSH port 22 should fail because the disk is still encrypted. Login via port 2222 and run systemd-tty-ask-password-agent to unlock the encrypted partition(s). When you connect to the server, make sure you use the private SSH key corresponding to the public key stored in /tmp/authorized_keys.

ssh -p 2222 root@<your-host>

Example:

$ ssh -p 2222 root@<your-host>

Welcome to the early boot SSH environment. You may type

    systemd-tty-ask-password-agent

(or press "arrow up") to unlock your disks.

This shell will terminate automatically a few seconds after the
unlocking process has succeeded and when the boot proceeds.

initramfs-ssh:/root# systemd-tty-ask-password-agent
:closed_lock_with_key: Please enter passphrase for disk SAMSUNG MZVL2512HCJQ-00B00 (luks-7dfda334-4593-40af-b54e-29b9890abaf7): (press TAB for no echo)

Enter the password that you previously set in /tmp/setup.conf for CRYPTPASSWORD. If the password is correct, the boot will continue and you will automatically be disconnected from the temporary SSH session.

After a few seconds, you can connect to the server via the default SSH port 22:

ssh -p 22 root@<your-host>

License: MIT