this post was submitted on 09 Mar 2026
51 points (96.4% liked)

Selfhosted

56957 readers
1299 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
51
Notes on full disk encryption on a Hetzner cloud VPS (lemmy.world)
submitted 23 hours ago* (last edited 23 hours ago) by versionc@lemmy.world to c/selfhosted@lemmy.world
25 comments fedilink hide all child comments
 

Hello!

I've spent a lot of time struggling with Hetzner's KVM console, there are a lot of problems causing severe issues with setting up passwords and passphrases. I just thought I'd create this "guide" to get things rolling, for everyone who faces the same issues I've faced.

Step 1 - Firewall

Set up a firewall and only open port 22 with your IP (you can look it up using ip.me).

Step 2 - Installation

Perform the installation procedure as normal, setting very simple passwords and passphrases for the user accounts and the disk encryption. Set them to something like 123. These will be changed later!

I'm using Debian 13, the steps may or may not be the same for your choice of distribution.

Step 3 - SSH access

Unmount the ISO and reboot. Enter the console again, log in as root with your simple password. Now, if you have the same problem as me, keys like /, CTRL etc. won't work, so I used tab completion and vi to to modify the config file.

# cd ../etc/ssh/
# vi sshd<TAB>

Inside vi, press o to create a new line and enter insert mode. Add:

PermitRootLogin yes
PasswordAuthentication yes

Press ESC and then <SHIFT>-yy (so holding shift and pressing y twice). This will save the file and exit vi. Restart the SSH services:

# systemctl restart ssh sshd

Step 4 - Dropbear

ssh into your VPS. Now you have full keyboard access like usual. Install dropbear-initramfs, which is an SSH server that's placed in the initial RAM filesystem so that you can ssh into your VPS during start up so you can easily enter your encryption passphrase.

Generate a new key pair and add the public key to /etc/dropbear/initramfs/authorized_keys

Run update-initramfs -u and reboot. You should now be able to ssh into your VPS using the key you just generated. The following command lets you unlock the encrypted disk:

cryptroot-unlock

This will probably disconnect you from the tunnel, simply re-establish the SSH tunnel again.

Step 5 - Changing passwords and passphrases

To change the encryption passphrase:

# cryptsetup luksAddKey /dev/sdXY
# cryptsetup luksRemoveKey

Lock the root user and change the password of your user (don't forget to add the user to the sudo group!):

# passwd -l root
# passwd user

Done!

At this point you might want to use some other means to access the server, such as Netbird or Tailscale or Wireguard. Regardless of how you decide to access the server, you should revert the changes to sshd_config.

P.S.

I have no idea if this is a secure or good way to do this. Use at your own risk!

you are viewing a single comment's thread
view the rest of the comments
[–] IratePirate@feddit.org 0 points 11 hours ago (3 children)

Set up a firewall and only open port 22 with your IP (you can look it up using ip.me).

I keep wondering about this part whenever I read it. Do y'all have static IP addresses so you can do this easily? If I did this, I'd probably lock myself out within a week (which is roughly the interval at which my public IPv4 will change).

[–] versionc@lemmy.world 1 points 10 hours ago (1 children)

This is only supposed to be temporary while you set up the FDE, your IP is unlikely to change in the 30 minutes or so it takes to go through these steps.

In any other scenario I'd close port 22 and use a mesh VPN with SSH capabilities, like Netbird or Tailscale. I'd only open it up again to access Dropbear during reboots, and I'd use IP filtering for that as well.

As for DHCP, I guess it depends on the ISP. I don't have a static IP but mine doesn't change as far as I can tell unless my router is disconnected for a longer while.

[–] IratePirate@feddit.org 1 points 10 hours ago

Now I get it. Thanks for the explanation!

[–] offspec@lemmy.world 1 points 10 hours ago

This post is about a hetzner host so I would assume it's static

[–] ShortN0te@lemmy.ml 1 points 11 hours ago (1 children)

use ddns or similar to keep track of tour IP?

[–] IratePirate@feddit.org 2 points 10 hours ago (1 children)

Sure, that's what I do for hosting my stuff. DDNS does not help with SSH whitelisting because that is IP-based, not based on a URL.

[–] ShortN0te@lemmy.ml 2 points 9 hours ago

Stupid me, missed the IP whitelisting part.