Table of contents
find_replace Found a mistake? Report it to us by selecting the wrong word/s and press CTRL + ALT + M. Thank you!
The article did not help you?
Contact us

How to encrypt my server and decrypt it remotely with Dropbear SSH?

In this tutorial, we will show you the easiest way how you can encrypt entirely your KVM based VPS. You can not encrypt your OpenVZ based VPS due to virtualization limitations. We highly recommend encrypting your VPSes if the security is a priority for you.

 

Getting started

For this tutorial, we will need to boot up our own ISO file. You can see how here. In this tutorial we will show you the steps for CentOS 7, so we have found a CentOS 7 ISO file URL and we have to boot it up on our VPS. After you set up your VPS to boot from the ISO file, please reboot it and open the VNC console.

 

Installing and encrypting(during the installation) CentOS 7

  1. Once you have opened the VNC console, you should see this:



    Select Install CentOS 7 with the arrow keys and press Enter.

  2. Choose a language and press Continue.



  3. On the next screen, click on the Installation destination. In this section, we will enable the encryption and configure the partitions you will have on your server.



    For the purpose of this tutorial, we will leave the automatic partitioning of the server.

    NOTICE: Please press the checkbox Encrypt my data.

    Press the button Done located at the top of the installer. You will be prompted to enter the passphrase that will be used to encrypt your VPS data.

  4. When you typed your passphrase, press the button Save Passphrase.



  5. You will be returned to the main installation menu. Click on Network & Hostname in order to enable your network interface.



    Press the toggle button from Off to On. The IP address will be provided from our DHCP server.

  6. Now you can press the button Begin installation.

  7. On the next screen, you will have to enter your root password. Enter it and press Continue.

  8. Reboot the machine when the installation complete. After this step, you will have a clean installation of encrypted CentOS 7.

NOTICE: Do not forget to switch the boot order to 1) Hard Disk 2) CD Drive in the Virtualizor and Select ISO to None after the installation is completed.

NOTICE: Every time you reboot your machine you will have to enter your server via VNC and to enter the passphrase in order to decrypt your server. SSH is not working before you enter the passphrase. We have a solution to this inconvenience. Please read the next lines.

Installing Dracut-Crypt-SSH in order to decrypt your machine via SSH

This module allows you to decrypt your machine remotely via SSH. We would suggest you installing this module because it is removing the inconvenience from rebooting your VPS. This application is using the dropbear SSH server. If you prefer every time to enter the passphrase of your server via VNC, you can skip this step.

 

The first thing we need to do is to download dracut-crypt-ssh app using these commands:

yum -y install epel-release wget vim
wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
yum install dracut-crypt-ssh

 

Once you have installed dracut, we have to edit the grub file. For this tutorial, we will use the editor vim. Open the grub file:

vim /etc/default/grub

Enter in Insert mode click the button i and append rd.neednet=1 ip=dhcp to the end of line GRUB_CMDLINE_LINUX. The line(in our case) looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.luks.uuid=luks-d0f3dff8-22c5-4aa3-a7a5-316f4ad3e56d rd.lvm.lv=centos/swap rhgb quiet rd.neednet=1 ip=dhcp"

Save the file pressing Esc and typing :x.

 

Regenerate your GRUB config:

grub2-mkconfig --output /etc/grub2.cfg

 

We will have to edit the dropbear ssh server configuration and to specify where are our SSH keys stored. You will enter your server(before it is decrypted) via SSH and the supported authentication method is only SSH Key-based. The password authentication method is not supported. Open the configuration typing this command:

vim /etc/dracut.conf.d/crypt-ssh.conf

Enter in Insert mode click the button i and paste this content:

dropbear_ecdsa_key="/etc/dropbear/auth/ssh_ecdsa"
dropbear_rsa_key="/etc/dropbear/auth/ssh_rsa"
dropbear_acl="/root/.ssh/authorized_keys"

Save the file pressing Esc and typing :x.

 

Now we have to create the folder /etc/dropbear/auth and to generate the required keys.

Create the folder:

mkdir /etc/dropbear/auth

Now let's create the keys using these commands:

ssh-keygen -t ecdsa -f /etc/dropbear/auth/ssh_ecdsa
ssh-keygen -t rsa -f /etc/dropbear/auth/ssh_rsa

When you are prompted to enter a passphrase, just press Enter.

 

Now let's create your personal SSH key. Run this command:

cd /root && ssh-keygen -t rsa -b 4096

When you are prompted to enter passphrase or file location, just press Enter.

 

Once you are done generating your personal SSH key, we have to add your public SSH key to the file /etc/dropbear/auth/authorized_keys. We can do this running this command:

touch /root/.ssh/authorized_keys && cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

 

Let's fix the keys file permissions by typing this command:

chmod 444 -R /etc/dropbear/auth/

 

Now we have to rebuild the server's initframs and to update the dracut-crypt-ssh configuration by typing this command in your terminal:

dracut -f

 

We are ready with setup of the dracut-crypt-ssh application but before a reboot, make sure you have copied your private key on your local machine. Your SSH private key is located in this file: /root/.ssh/id_rsa

You can copy it with SFTP or just copy-paste it from the server. You can see the content of the file with this command:

cat /root/.ssh/id_rsa

 

Now you can reboot your server typing this command:

reboot

 

Decrypting your server using Putty (Windows)

We will need to use PuttyGen to convert our SSH keys. You can download it from here: https://www.puttygen.com/

You have downloaded your private key from the server before. Save it to a file, the extension does not matter.

Open the PuttyGen and Load your private key.

If you do not see your file, once the file manager is opened, select All Files from the dropdown. Select your file and press Open.

You will see a notification from PuttyGen that your key is imported successfully. Press the button Save private key. You will be prompted to enter a passphrase, you can skip that and press Yes.

Now we have the key in the proper format for Putty.

 

At this state, your server is rebooted and it is not working, because it waits to enter the passphrase in order to decrypt it and to boot the operating system. If you connect to your server it will look like this:

 

Open the Putty program. In the field Host name (or IP address) enter this: root@YOUR_SERVER_IP

In the Port field enter this: 222

The dropbear SSH server is listening on port 222.

 

On the left menu click on SSH and show up the submenu. Click on Auth. Click the Browse button and select the newly generated private SSH key and press Open.

 

On the left menu return to Session and click Open. If the connection is successful, you should see this:

 

Enter this command in order to decrypt your server:

console_auth

 

You will be prompted to enter your passphrase. Enter it and press Enter.

 

After a successful decryption, your SSH connection will drop. Now the server is decrypted and you can use the normal SSH(on port 22) to connect to your server.

 

Decrypting your server through your terminal (Linux/Mac)

You have downloaded your private key from the server before. Save it to a file, the extension does not matter.

 

Give this file the right permissions:

chmod 444 file_location

 

Now you can sign in the dropbear SSH server and decrypt your server using this command:

ssh -p 222 root@YOUR_SERVER_IP -i file_location_to_the_private_key

 

When you successfully connect to the Dropbear SSH, type this command:

console_auth

You will be prompted to enter your passphrase. Enter it and press Enter.

 

After a successful decryption, your SSH connection will drop. Now the server is decrypted and you can use the normal SSH(on port 22) to connect to your server.