First steps
This is intended as a supplement to the main custom ISO install guide:
Please refer to the main guide up until the disk partitioning section.
Please note that encrypted swap will perform slower than regular swap, if you are failing secnodetracker challenges with this setup, consider a different partition system and make room for a non-encrypted swap file or partition, or move to a tier with more physical RAM
Implementing Encryption for Root partition and Swap space
After you have proceeded with the installation via a custom ISO, configure the partitions as follows:
Firstly, create a 512 MB boot partition -- this will NOT be encrypted. It will serve to mount the encrypted root partition at boot time.
Make it a Primary partition, at the beginning of the disk.
Change the Mount point
Select /boot
Make the filesystem EXT2, EXT3 or EXT4
as the disk is small, for faster disk performance in many cases choose EXT2 (no journal), for better recovery after crashes choose EXT3 or EXT4 (journal)
Select noatime as a Mount option
Reduce the Reserved blocks to 0%
Done setting up the partition
Select the remaining FREE SPACE
Select Use as:
Select physical volume for encryption
Various options for encryption will now appear. Start by selecting the Encryption type:
Various types of encryption ciphers are available. Each type has its own theoretical & practical strengths & weaknesses.
For this demo we will select Serpent
please refer to books and information you can find online regarding the differences in these encryption ciphers.
Next, select the IV Algorithm -- again, there are multiple choices each with their own theoretical & practical strengths & weaknesses.
For this demo we will select cbc-essiv:sha256
Change Erase data to no
Done setting up the partition
Now select Configure encrypted volumes
Yes, write the changes to disk
Select Finish here -- we have already made the partition for encryption.
You will now be prompted to enter a passphrase for the encrypted volume.
Make the passphrase strong! At least 20 characters including letters and symbols!
You may use mnemonics to form and remember a complex password, or if you want to risk it you can write it down somewhere or store it in a password manager.
MAKE SURE THE VNC VIEWER IS USING ENCRYPTION (HTTPS://) IF IT IS NOT, ABORT THE INSTALLATION AT THIS POINT AND CHANGE VPS PROVIDER TO ONE WHICH SUPPORTS ENCRYPTED VNC
Continue, you will be prompted to enter the passphrase again.
Next, you should see a new Encrypted volume with 1 partition underneath it. Select the partition.
Select the Mount point
Mount it as the root fs
Configure the rest of the partition.
Select noatime as a mount option for optimal disk performance.
As before, select Ext2, Ext3, or Ext4 as the fs type depending on preference.
Set Reserved blocks to 0% or 1% so we can use the whole disk, as it is not a large disk.
Note: If the disk fills up, a 0% option may cause inoperability, be sure to monitor and administer the server -- some log files may grow large for example
Done setting up the partition
Finish partitioning and write the changes to disk
You will be warned there is no Swap partition. We will be creating it as a file within the encrypted root.
Select no
Select yes
The installation should now proceed as usual, please follow the rest of the main guide up until the end of the installation!
After the installation has finished, make sure the ISO is removed from the VPS and reboot.
After rebooting, open the VNC console again.
Depending on VPS and VNC type, the boot messages may appear overwritten, pay attention for the line Please unlock disk ..._crypt: (you may even have to enter it blind!)
Click into the window, enter your encryption passphrase and press enter. The system should boot into the login screen.
From here you can login via VNC (or login via SSH if you installed it as an option).
Setting up the Encrypted Swap file
Login as root. If you are logging in as a normal user via SSH, invoke su to become root.
Enter the following commands:
fallocate -l 7G /swap
chmod 0600 /swap
mkswap /swap
swapon /swap
This will create and activate a 7GB swap file at the location /swap, within the encrypted volume.
You now have a fully encrypted root system with encrypted swap! You will only ever need to enter the encryption passphrase when booting the VPS up from a powerdown or restart.
If this guide has helped you, consider a donation:
ZEN: znSTMxvU3AizLV9cAm4iNPT5uLoJ2wbfHy9
Private ZEN: zcK5A39UwgaufiyUVtVqTXMFQXxxCUCvicvuMxcCE9QrgBMAGW5yCQW9a5zRqwZbYBTCMhTZgyhKH3TMMHq4xwLADQvqrM3
BTC: 1EwGXrmGdiD6Xd8uPnmRufyoWowJ7qpkJ1