Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

How to install Ubuntu 22.04 with full disk encryption

profile picture
Author
Hetzner Online
Published
2024-04-10
Time to read
5 minutes reading time
Table of Contents

Introduction

The installimage script in the Hetzner Rescue System provides an easy way to install various Linux distributions.

This tutorial shows how to use installimage to install an encrypted Ubuntu 22.04 system and add remote unlocking via SSH (dropbear) in initramfs stored in a separate /boot partition.

Prerequisites

  • Hetzner account
  • Server booted into the Rescue System
  • RSA, ECDSA or ED25519 SSH public key
  • No private networks attached on Hetzner Cloud

Step 1 - Create or copy SSH public key

In order to remotely unlock the encrypted system, an SSH key is required. You will use this key later to login to the booted system. The dropbear SSH daemon included in Ubuntu 22.04 only supports RSA and ECDSA keys. If you do not have such a key, you need to generate one. We recommend the use of ED25519 or ECDSA keys.

For example to generate an ED25519 SSH key, run:

ssh-keygen -t ed25519

Copy the public key to the rescue system, e.g. using scp:

scp ~/.ssh/id_ed25519.pub root@<your-host>:/tmp/authorized_keys

Step 2 - Create or copy installimage config file

When installimage is called without any options, it starts in interactive mode and will open an editor after a distribution image has been selected. After exiting the editor, the installation will proceed and the corresponding configuration is saved as /installimage.conf in the installed system. In this tutorial we will pass such a configuration file to install directly.

Create a file /tmp/setup.conf with the following content or copy it to the server in the Rescue system.

Note: Replace secret with a secure password and adjust drive names and partitioning as needed.

CRYPTPASSWORD secret
DRIVE1 /dev/sda
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot/efi esp 256M
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

This configuration will install Ubuntu on a single drive (/dev/sda) with a separate unencrypted /boot required for remote unlocking.

Example for two drives (RAID1) 
CRYPTPASSWORD secret
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot/efi esp 256M
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

Step 3 - Create or copy post-install script

In order to remotely unlock the encrypted partition, we need to install and add the dropbear SSH server to the initramfs which is stored on the unencrypted /boot partition. This will also trigger the inclusion of dhclient to configure networking, but without any extras. To enable support for Hetzner Cloud, we need to add a hook which includes support for RFC3442 routes.

In order to run these additional steps, we need a post-install script for installimage

Create a file /tmp/post-install.sh in the rescue system with the following content:

#!/bin/bash

add_rfc3442_hook() {
  cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh

PREREQ=""

prereqs()
{
        echo "\$PREREQ"
}

case \$1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/dhclient ]; then
        exit 0
fi

. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions

mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF

  chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}

remove_unwanted_netplan_config() {
  cat << EOF > /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
#!/bin/sh

if [ -d "/run/netplan" ]; then
  interface=\$(ls /run/netplan/ | cut -d'.' -f1)

  if [ \${interface:+x} ]; then
    rm -f /run/netplan/"\${interface}".yaml
  fi
fi
EOF

  chmod +x /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
}

# Install rfc3442 hook
add_rfc3442_hook

# Adding an initramfs-tools script to remove /run/netplan/{interface}.yaml,
# because it is creating unwanted routes
remove_unwanted_netplan_config

# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

# Copy SSH keys for dropbear and change the port
cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/
sed -ie 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"/' /etc/dropbear/initramfs/dropbear.conf
dpkg-reconfigure dropbear-initramfs
update-initramfs -u

Important note: make the post-install script executable:

chmod +x /tmp/post-install.sh

Step 4 - Start installation

Before starting the installation, check the content of the following files again:

  • /tmp/authorized_keys - your public SSH key (RSA, ECDSA or ED25519)
  • /tmp/setup.conf - installimage config
  • /tmp/post-install.sh - is executable and contains the post-install script

Now you are ready to start the installation with the following command:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Wait until the installation completes and check the debug.txt for any errors.

Step 5 - Boot installed system

After the installation has finished and any errors are resolved, you can run reboot to restart the server and boot the newly installed system. You can watch the boot process if you have a KVM attached or via remote console on a Cloud instance.

After some time the server should respond to ping. Now login via SSH into dropbear and run cryptroot-unlock to unlock the encrypted partition(s).

  • With ED25519 or ECDSA key

    ssh -p 2222 root@<your-host>

  • With RSA key
    In case of RSA, we must explicitly specify that this key is accepted.

    ssh -o "PubkeyAcceptedKeyTypes +ssh-rsa" -p 2222 root@<your-host> -i ~/.ssh/id_rsa

Example:

$ ssh -o "PubkeyAcceptedKeyTypes +ssh-rsa" -p 2222 root@<your-host> -i ~/.ssh/id_rsa

BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cryptroot-unlock 
Please unlock disk luks-80e097ad-c0ab-47ce-9302-02dd316dc45c:

If the password is correct, the boot will continue and you will automatically be disconnected from the temporary SSH session.

After a few seconds you can login to your new system.

Note: This guide is explicitly written for Ubuntu 22.04 only. It might not work on other distributions.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue

Discover our

Dedicated Servers

Configure your dream server. Top performance with an excellent connection at an unbeatable price!

Configure now
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue