How to encrypt my server and decrypt it remotely with Dropbear SSH?
In this tutorial, we will show you the easiest way how you can encrypt entirely your KVM based VPS. You can not encrypt your OpenVZ based VPS due to virtualization limitations. We highly recommend encrypting your VPS if security is a priority for you.
Boot up a custom CentOS ISO
For this tutorial, we will need to boot up our own ISO file. Now, we will show you the steps for CentOS 7. So, we have found a CentOS 7 ISO file URL, and we have to boot it on our VPS. After you set up your VPS to boot from the ISO file, please reboot it and open the VNC console.
Installing and encrypting (during the installation) CentOS 7
Follow the steps below to install CentOS 7 and encrypt it.
- Once you have opened the VNC console, you should see this:
Select Install CentOS 7 with the arrow keys and press Enter. - Choose a language and press Continue.
- On the next screen, click on the Installation destination. In this section, we will enable the encryption and configure the partitions you will have on your server.
NOTICE: Please press the checkbox Encrypt my data. Press the button Done located at the top of the installer. You will be prompted to enter the passphrase that will be used to encrypt your VPS data. - When you type your passphrase, press the button Save Passphrase.
- You will be returned to the main installation menu. Click on Network & Hostname in order to enable your network interface.
Switch the toggle button from Off to On. The IP address will be provided from our DHCP server. - Now you can press the button Begin installation.
- On the next screen, you will have to enter your root password. Enter it and press Continue.
- Reboot the machine when the installation is completed. After this step, you will have a clean installation of encrypted CentOS 7.
NOTICE: Do not forget to switch the boot order to 1) Hard Disk 2) CD Drive in the Virtualizor and Select ISO to None after the installation is completed.
NOTICE: Every time you reboot your machine, you will have to enter your server via VNC and to enter the passphrase in order to decrypt your server. SSH would not work before you enter the passphrase. We have a solution to this inconvenience. Please read the information below.
Installing Dracut-Crypt-SSH in order to decrypt your machine via SSH
This module allows you to decrypt your machine remotely via SSH. We would suggest you installing this module because it removes the inconvenience of rebooting your VPS. This application uses the dropbear SSH server. If you prefer to enter the passphrase of your server via VNC every time, you can skip this step.
The first thing we need to do is to download dracut-crypt-ssh app using these commands:
yum -y install epel-release wget vim
wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
yum install dracut-crypt-ssh
Once you have installed dracut, we have to edit the grub file. For this tutorial, we will use the editor vim
. Open the grub file:
vim /etc/default/grub
Enter Insert mode, click the button i
and append rd.neednet=1 ip=dhcp
to the end of the line GRUB_CMDLINE_LINUX
. The line (in our case) looks like this:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.luks.uuid=luks-d0f3dff8-22c5-4aa3-a7a5-316f4ad3e56d rd.lvm.lv=centos/swap rhgb quiet rd.neednet=1 ip=dhcp"
Save the file by pressing Esc
and typing :x
.
Regenerate your GRUB config:
grub2-mkconfig --output /etc/grub2.cfg
We will have to edit the dropbear ssh server configuration and to specify where our SSH keys are stored. You will enter your server (before it is decrypted) via SSH, and the supported authentication method is only SSH Key-based. The password authentication method is not supported. Open the configuration by typing this command:
vim /etc/dracut.conf.d/crypt-ssh.conf
Enter Insert mode, click the button i
and paste this content:
dropbear_ecdsa_key="/etc/dropbear/auth/ssh_ecdsa"
dropbear_rsa_key="/etc/dropbear/auth/ssh_rsa"
dropbear_acl="/root/.ssh/authorized_keys"
Save the file by pressing Esc
and typing :x
.
Now we have to create the folder /etc/dropbear/auth
and to generate the required keys.
Create the folder:
mkdir /etc/dropbear/auth
Now let's create the keys using these commands:
ssh-keygen -t ecdsa -f /etc/dropbear/auth/ssh_ecdsa
ssh-keygen -t rsa -f /etc/dropbear/auth/ssh_rsa
When you are prompted to enter a passphrase, just press Enter
.
Now let's create your personal SSH key. Run this command:
cd /root && ssh-keygen -t rsa -b 4096
When you are prompted to enter passphrase or file location, just press Enter
.
Once you are done generating your personal SSH key, we have to add your public SSH key to the file /etc/dropbear/auth/authorized_keys
. We can do this by running this command:
touch /root/.ssh/authorized_keys && cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
Let's fix the keys file permissions by typing this command:
chmod 444 -R /etc/dropbear/auth/
Now we have to rebuild the server's initramfs and to update the dracut-crypt-ssh configuration by typing this command in your terminal:
dracut -f
We are ready with setup of the dracut-crypt-ssh application but, before a reboot, make sure you have copied your private key on your local machine. Your SSH private key is located in this file: /root/.ssh/id_rsa
You can copy it with SFTP or just copy-paste it from the server. You can see the content of the file using this command:
cat /root/.ssh/id_rsa
Now you can reboot your server by typing this command:
reboot
Decrypting your server using Putty (Windows)
We will need to use PuttyGen to convert our SSH keys, which you can download from the official Putty website.
You have downloaded your private key from the server before. Save it to a file, the extension does not matter.
Open the PuttyGen and Load your private key.
If you do not see your file, once the file manager is opened, select All Files from the dropdown. Select your file and press Open.
You will see a notification from PuttyGen that your key is imported successfully. Press the button Save private key. You will be prompted to enter a passphrase, you can skip that and press Yes.
Now we have the key in the proper format for Putty.
At this state, your server is rebooted, and it is not working, because it needs the passphrase in order to decrypt it and to boot the operating system. If you connect to your server it will look like this:
Open the Putty program. In the field Host name (or IP address) enter this: root@YOUR_SERVER_IP
In the Port field enter this: 222
The dropbear SSH server is listening on port 222.
On the left menu click on SSH and show up the submenu. Click on Auth. Click the Browse button and select the newly generated private SSH key and press Open.
On the left menu return to Session and click Open. If the connection is successful, you should see this:
Enter this command in order to decrypt your server:
console_auth
You will be prompted to enter your passphrase. Enter it and press Enter
.
After successful decryption, your SSH connection will drop. Now the server is decrypted, and you can use the normal SSH (on port 22) to connect to your server.
Decrypting your server through your terminal (Linux/Mac)
You have downloaded your private key from the server before. Save it to a file, the extension does not matter.
Give this file the right permissions:
chmod 444 file_location
Now you can sign into the dropbear SSH server and decrypt your server using this command:
ssh -p 222 root@YOUR_SERVER_IP -i file_location_to_the_private_key
When you successfully connect to the Dropbear SSH, type this command:
console_auth
You will be prompted to enter your passphrase. Enter it and press Enter
.
After successful decryption, your SSH connection will drop. Now the server is decrypted and you can use the normal SSH (on port 22) to connect to your server.