How to encrypt your cloud server and decrypt it remotely with Dropbear SSH

In this tutorial you are going to learn how to fully encrypt a KVM-based VPS. We highly recommend encrypting your cloud server if security is a top priority for you!

IMPORTANT: You cannot encrypt OpenVZ-based VPS servers due to virtualization limitations!

Boot up a custom CentOS ISO

For this tutorial, you will need to install a custom ISO file. For this tutorial, we are going to be using a CentOS 7 ISO file. We are going to place the URL and boot it from our server. Once you have successfully booted up the server from the custom ISO, you will need to reboot it and then open up the VNC console.

Installing and encrypting CentOS 7

Once you have opened the VNC console, you should see this:

Select Install CentOS 7 with the arrow keys and press Enter.

Choose a language and press Continue.

Next, click on the Installation destination. This is where you will enable the encryption and configure the partitions you will have on your server.

IMPORTANT: Make sure to select the Encrypt my data checkbox.

Next, press the Done button, located at the top of the installer. You will be prompted to enter the passphrase that will be used to encrypt your VPS data.

When you type your passphrase, press the Save Passphrase button.

You will then return to the main installation menu. Click on Network & Hostname in order to display your network interface.

Switch the toggle button from Off to On. The IP address will be provided from our DHCP server.

Now you can press the Begin installation button.

You will have to enter your root password. Enter it and press Continue.

Reboot the machine when the installation is completed. After this step, you will have a clean and encrypted CentOS 7 installation.

IMPORTANT: Do not forget to switch the boot order to 1) Hard Disk 2) CD Drive in the Virtualizor. Also, make sure to set Select ISO to None after the installation is completed.

IMPORTANT: Every time you reboot your machine, you will have to enter your server via VNC. You will also need to enter your passphrase in order to decrypt your server. SSH will not work before you enter the passphrase. Given that this can be quite an inconvenience, it can be solved with Dracut-Crypt-SSH.

Installing Dracut-Crypt-SSH in order to decrypt your machine via SSH

This module allows you to decrypt your machine remotely via SSH. We suggest installing this module because it removes the inconvenience of having to reboot your VPS. This application uses the Dropbear SSH server.

IMPORTANT: If you prefer having to enter the passphrase of your server via VNC every time, you can skip this step. This is only intended for those who don’t want to enter their phrase every time they log into their server!

The first thing we need to do is to download dracut-crypt-ssh app using these commands:

yum -y install epel-release wget vim
wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
yum install dracut-crypt-ssh

Once you have installed dracut, we have to edit the grub file. For this tutorial, we will use the vim editor. Open the grub file:

vim /etc/default/grub

Enter Insert mode, click the button i and add rd.neednet=1 ip=dhcp to the end of the GRUB_CMDLINE_LINUX line. The line (in our case) looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.luks.uuid=luks-d0f3dff8-22c5-4aa3-a7a5-316f4ad3e56d rd.lvm.lv=centos/swap rhgb quiet rd.neednet=1 ip=dhcp"

Save the file by pressing Esc and typing :x.

Regenerate your GRUB config:

grub2-mkconfig --output /etc/grub2.cfg

We will have to edit the dropbear ssh server configuration and specify where our SSH keys are stored. You will need to enter your server (before it is decrypted) via SSH as the supported authentication method is only SSH Key-based. The password authentication method is not supported. Open the configuration by typing this command:

vim /etc/dracut.conf.d/crypt-ssh.conf

Enter Insert mode, click the button i and paste this content:

dropbear_ecdsa_key="/etc/dropbear/auth/ssh_ecdsa"
dropbear_rsa_key="/etc/dropbear/auth/ssh_rsa"
dropbear_acl="/root/.ssh/authorized_keys"

Save the file by pressing Esc and typing :x.

Now we have to create the folder /etc/dropbear/auth and to generate the required keys.

Create the folder:

mkdir /etc/dropbear/auth

Now let's create the keys using these commands:

ssh-keygen -t ecdsa -f /etc/dropbear/auth/ssh_ecdsa
ssh-keygen -t rsa -f /etc/dropbear/auth/ssh_rsa

When you are prompted to enter a passphrase, just press Enter.

Now let's create your personal SSH key. Run this command:

cd /root && ssh-keygen -t rsa -b 4096

When you are prompted to enter a passphrase or file location, just press Enter.

Once you are done generating your personal SSH key, we have to add your public SSH key to the /etc/dropbear/auth/authorized_keys file. We can do this by running this command:

touch /root/.ssh/authorized_keys && cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Let's fix the keys file permissions by typing this command:

chmod 444 -R /etc/dropbear/auth/

Now we have to rebuild the server's initramfs and to update the dracut-crypt-ssh configuration by typing this command in your terminal:

dracut -f

We are ready with setup of the dracut-crypt-ssh application but, before you reboot, make sure you have copied your private key on your local machine. Your SSH private key is located in this file: /root/.ssh/id_rsa

You can copy it with SFTP or just copy-paste it from the server. You can see the content of the file using this command:

cat /root/.ssh/id_rsa

Now you can reboot your server by typing this command:

reboot

Decrypting your server using Putty (Windows)

We will need to use PuttyGen to convert our SSH keys, which you can download from the official Putty website.

You will need your private key, that you have previously downloaded.

Open the PuttyGen and Load your private key.

If you do not see your file, once the file manager is opened, select All Files from the dropdown menu. Select your file and press Open.

You will see a notification from PuttyGen that your key is imported successfully. Press the Save private key button. You will be prompted to enter a passphrase, you can skip that and press Yes.

Now we have the key in the proper format for Putty.

At this state, your server is rebooted, and it is not working, because it needs the passphrase in order to decrypt it and to boot the operating system. If you connect to your server it will look like this:

Open the Putty program. In the Host name (or IP address) field, enter this:

root@YOUR_SERVER_IP

In the Port field enter this: 222

The dropbear SSH server is listening on port 222.

On the left menu click on SSH. Click on Auth. Click the Browse button and select the newly generated private SSH key and press Open.

On the left menu return to Session and click Open. If the connection is successful, you should see this:

Enter this command in order to decrypt your server:

console_auth

You will be prompted to enter your passphrase. Write it out and press Enter.

After successful decryption, your SSH connection will drop. Now the server is decrypted, and you can use the normal SSH (on port 22) to connect to your server.

Decrypting your server through your terminal (Linux/Mac)

You will need your private key, that you have previously downloaded.

Give this file the right permissions:

chmod 444 file_location

Now you can sign into the dropbear SSH server and decrypt your server using this command:

ssh -p 222 root@YOUR_SERVER_IP -i file_location_to_the_private_key

When you successfully connect to the Dropbear SSH, type this command:

console_auth

You will be prompted to enter your passphrase. Type it and press Enter.

After successful decryption, your SSH connection will drop. Now the server is decrypted and you can use the normal SSH (on port 22) to connect to your server.

If you have any further questions, you can always contact us!