Install an Encrypted Ubuntu 20.04 with Automated Unlocking via Clevis and Tang in the Hetzner Cloud 

Install Encrypted Ubuntu in Hetzner Cloud
This tutorial focuses on how to use installimage to install an encrypted Ubuntu 20.04 system and add fully automated remote unlocking via clevis and tang. 


Hetzner Cloud is a well-known Internet hosting company and data center operator from Gunzenhausen, Germany. Hetzner Cloud provides best-in-class performance with the help of Intel® Xeon® Gold processor, AMD EPYC second Generation, and speedy NVMe SSDs. Hetzner Cloud also offers services that are good to go in seconds with incredible performance. 

In this tutorial, we are going to learn how to use the installimage script to install an encrypted Ubuntu 20.04 server and add fully automated remote unlocking via clevis in initramfs stored in a separate /boot partition. The installimage script in the Rescue System offers an easy way to install various Linux distributions in Hetzner Cloud.



  • An Hetzner Cloud account.
  • Server with Ubuntu 20.04 installed.
  • No private networks attached to the Hetzner Cloud.
  • Server booted into the Rescue System.


Step 1: Configure the tang server. 

At first, we will install Tang and José (the c implementation of the JavaScript Object Signing and Encryption standards used by Tang) on the Server where Ubuntu 20.04 is installed.


user@tang-server:~$ apt update 
user@tang-server:~$ apt install tang jose
user@tang-server:~$ systemctl enable tangd.socket
user@tang-server:~$ systemctl start tangd.socket


Then, execute the below command to check if everything is installed correctly and to determine the signing key’s fingerprint.


user@tang-server:~$ tang-show-keys 


Step 2: (Optional) Create or Copy SSH Public Key to the clevis-server 

To log into the server remotely using an SSH Key, users need to deposit the SSH Key before the installation. If the user does not have such a key, they need to generate one.

For example, to generate an ed25519 SSH key, execute the following command:


user@client:~$ ssh-keygen -t ed25519


After generating the SSK key, execute the following command to copy the public key to the rescue system.


user@client:~$ scp ~/.ssh/


If the user has started the Rescue System with an existing SSH Key, copy the public key for the installation by executing the following command: 


root@rescue ~ # cp ~/.ssh/authorized_keys /tmp/authorized_keys


Step 3: Create or Copy the installimage Script Configuration File 

When the installimage script is called without any options, it starts in interactive mode and will open an editor after selecting a distribution image. After exiting the text editor, the installation will proceed, and the corresponding configuration is saved as the /installimage.conf file in the installed system. We will pass such a configuration file to install directly, as shown below in this tutorial.


First, create a file /tmp/setup.conf with the following lines or copy it to the server in the Rescue System.


>> Note: Replace the <secret> parameter below with a secure password and adjust drive names and partitioning as needed.


DRIVE1 /dev/sda
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Ubuntu-2004-focal-64-minimal.tar.gz


If an SSH Key has been configured in the above step, add the following line to the /tmp/setup.conf file.


SSHKEYS_URL /tmp/authorized_keys


Step 4: Create or Copy the post-install Script 

Users need to install and add clevis to the initramfs stored on the unencrypted /boot partition to automatically unlock the encrypted partition via the tang server in Hetzner Cloud. This process will also trigger the inclusion of dhclient to configure networking but without any extras. To enable support for Hetzner Cloud, users need to add a hook that includes support for RFC3442 routes.


To run these additional steps, users need to add a post-install script for installimage. For the same, follow the below process: 


First, create a /tmp/ file in the Rescue system with the following content.


>> Note: Replace the <secret> parameter below with the password that the user has chosen for the CRYPTPASSWORD value. Also, replace the <ip-tangserver> parameter in the below lines with the IP address of the user’s tang server.



add_rfc3442_hook() {
  cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook


        echo "\$PREREQ"

case \$1 in
        exit 0

if [ ! -x /sbin/dhclient ]; then
        exit 0

. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions

mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/

  chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook

# Install hook

# Update system
apt-get update >/dev/null

# Install clevis on the system and add clevis to the initramfs
apt-get -y install clevis clevis-luks clevis-initramfs cryptsetup-initramfs

# Get the key from the tang server and then bind the device to the tang server
curl -sfg http://<ip-tangserver>/adv -o /tmp/adv.jws
echo '<secret>' | clevis luks bind -d /dev/sda2 tang '{"url": "http://<ip-tangserver>" , "adv": "/tmp/adv.jws" }'

# Update the existing initramfs
update-initramfs -u


Next, make sure that the post-install script is executable by executing the following command: 


root@rescue ~ # chmod +x /tmp/


Step 5: Start the Installation 

Before starting the installation verify the content of the following files:

  • /tmp/setup.conf – installimage configuration file
  • /tmp/ – is executable and contains the post-install script
  • if SSH key is configured in Step 2 check /tmp/authorized_keys – user’s public SSH key


Now, we are ready to start the installation. In order to start the installation execute the following command:


root@rescue ~ # installimage -a -c /tmp/setup.conf -x /tmp/


Wait until the installation completes and check the debug.txt file for any errors.


Step 6: Boot the Installed System 

After the installation and resolving any errors, users can execute the following command to restart the Ubuntu server and boot the newly installed system. Users can watch the boot process if they have a KVM attached or via a remote console on a Hetzner Cloud instance.


root@rescue ~ # reboot



After installing, the clevis server should automatically decrypt the root filesystem in initramfs and afterward boot normally into the Operating System. This tutorial presents the steps to install an encrypted Ubuntu 20.04 with automated unlocking via clevis and tang in the Hetzner Cloud. Hope this tutorial was helpful, and do reach out to us if you have any query or suggestions.

Share this post

Services to Explore

Stay up to date!

Stay up to date with the Web Hosting, Cloud and Server Management Industry News and Tutorials!

We will send you only the relevant emails, and we respect your privacy. Please review our privacy policy for more info.

Managed Hetzner Cloud Services

Focus on your business, and let us take care of your Hetzner Cloud Infrastructure!
From what you are reading, it seems you are interested in Hetzner Cloud and related technologies. If you have a moment to spare, please take a look at our Managed Hetzner Cloud Services, which might interest you even more!
Managed Hetzner Cloud

Value-Added Services

We have services that can help you run a successful business. With us, you don't have to worry about these areas because our experts will take care of it for you.

ServerHealers uses cookies.