Hetzner Cloud is a well-known Internet hosting company and data center operator from Gunzenhausen, Germany. Hetzner Cloud provides best-in-class performance with the help of Intel® Xeon® Gold processor, AMD EPYC second Generation, and speedy NVMe SSDs. Hetzner Cloud also offers services that are good to go in seconds with incredible performance.
In this tutorial, we are going to learn how to use the installimage script to install an encrypted Ubuntu 20.04 server and add fully automated remote unlocking via clevis in initramfs stored in a separate /boot partition. The installimage script in the Rescue System offers an easy way to install various Linux distributions in Hetzner Cloud.
Prerequisites
- An Hetzner Cloud account.
- Server with Ubuntu 20.04 installed.
- No private networks attached to the Hetzner Cloud.
- Server booted into the Rescue System.
Step 1: Configure the tang server.
At first, we will install Tang and José (the c implementation of the JavaScript Object Signing and Encryption standards used by Tang) on the Server where Ubuntu 20.04 is installed.
user@tang-server:~$ apt update user@tang-server:~$ apt install tang jose user@tang-server:~$ systemctl enable tangd.socket user@tang-server:~$ systemctl start tangd.socket
Then, execute the below command to check if everything is installed correctly and to determine the signing key’s fingerprint.
user@tang-server:~$ tang-show-keys 3ZWS6-cDrCG61UPJS2BMmPU4I54
Step 2: (Optional) Create or Copy SSH Public Key to the clevis-server
To log into the server remotely using an SSH Key, users need to deposit the SSH Key before the installation. If the user does not have such a key, they need to generate one.
For example, to generate an ed25519 SSH key, execute the following command:
user@client:~$ ssh-keygen -t ed25519
After generating the SSK key, execute the following command to copy the public key to the rescue system.
user@client:~$ scp ~/.ssh/id_ed25519.pub root@<clevis-server>:/tmp/authorized_keys
If the user has started the Rescue System with an existing SSH Key, copy the public key for the installation by executing the following command:
root@rescue ~ # cp ~/.ssh/authorized_keys /tmp/authorized_keys
Step 3: Create or Copy the installimage Script Configuration File
When the installimage script is called without any options, it starts in interactive mode and will open an editor after selecting a distribution image. After exiting the text editor, the installation will proceed, and the corresponding configuration is saved as the /installimage.conf file in the installed system. We will pass such a configuration file to install directly, as shown below in this tutorial.
First, create a file /tmp/setup.conf with the following lines or copy it to the server in the Rescue System.
>> Note: Replace the <secret> parameter below with a secure password and adjust drive names and partitioning as needed.
CRYPTPASSWORD <secret> DRIVE1 /dev/sda BOOTLOADER grub HOSTNAME host.example.com PART /boot ext4 1G PART / ext4 all crypt IMAGE /root/images/Ubuntu-2004-focal-64-minimal.tar.gz
If an SSH Key has been configured in the above step, add the following line to the /tmp/setup.conf file.
SSHKEYS_URL /tmp/authorized_keys
Step 4: Create or Copy the post-install Script
Users need to install and add clevis to the initramfs stored on the unencrypted /boot partition to automatically unlock the encrypted partition via the tang server in Hetzner Cloud. This process will also trigger the inclusion of dhclient to configure networking but without any extras. To enable support for Hetzner Cloud, users need to add a hook that includes support for RFC3442 routes.
To run these additional steps, users need to add a post-install script for installimage. For the same, follow the below process:
First, create a /tmp/post-install.sh file in the Rescue system with the following content.
>> Note: Replace the <secret> parameter below with the password that the user has chosen for the CRYPTPASSWORD value. Also, replace the <ip-tangserver> parameter in the below lines with the IP address of the user’s tang server.
#!/bin/bash
add_rfc3442_hook() {
cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case \$1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/dhclient ]; then
exit 0
fi
. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions
mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF
chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}
# Install hook
add_rfc3442_hook
# Update system
apt-get update >/dev/null
# Install clevis on the system and add clevis to the initramfs
apt-get -y install clevis clevis-luks clevis-initramfs cryptsetup-initramfs
# Get the key from the tang server and then bind the device to the tang server
curl -sfg http://<ip-tangserver>/adv -o /tmp/adv.jws
echo '<secret>' | clevis luks bind -d /dev/sda2 tang '{"url": "http://<ip-tangserver>" , "adv": "/tmp/adv.jws" }'
# Update the existing initramfs
update-initramfs -u
Next, make sure that the post-install script is executable by executing the following command:
root@rescue ~ # chmod +x /tmp/post-install.sh
Step 5: Start the Installation
Before starting the installation verify the content of the following files:
- /tmp/setup.conf – installimage configuration file
- /tmp/post-install.sh – is executable and contains the post-install script
- if SSH key is configured in Step 2 check /tmp/authorized_keys – user’s public SSH key
Now, we are ready to start the installation. In order to start the installation execute the following command:
root@rescue ~ # installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh
Wait until the installation completes and check the debug.txt file for any errors.
Step 6: Boot the Installed System
After the installation and resolving any errors, users can execute the following command to restart the Ubuntu server and boot the newly installed system. Users can watch the boot process if they have a KVM attached or via a remote console on a Hetzner Cloud instance.
root@rescue ~ # reboot
Conclusion
After installing, the clevis server should automatically decrypt the root filesystem in initramfs and afterward boot normally into the Operating System. This tutorial presents the steps to install an encrypted Ubuntu 20.04 with automated unlocking via clevis and tang in the Hetzner Cloud. Hope this tutorial was helpful, and do reach out to us if you have any query or suggestions.
