% Chiffrement d'un serveur Kimsufi # Sources - [Full disk encrypted Ubuntu on Kimsufi sever / opsblog.net](https://opsblog.net/posts/full-disk-encrypted-ubuntu-kimsufi-sever/) # Démarrage du mode Rescue Éteindre proprement le serveur depuis l'invite de commande ## Sur l'interface de gestion Kimsufi 1. Cliquer sur `NetBoot` 2. Cliquer sur le bouton `Rescue` 3. Sélectionner `rescue64-pro` dans l'interface (ou laisser tel quel) 4. Cliquer sur le bouton `Suivant` 5. Cliquer sur le bouton `Confirmer` Il faut maintenant redémarrer le serveur 6. Cliquer sur le bouton `Redémarrer` situé à gauche du bouton `NetBoot` Attendre la réception du mail indiquant les identifiants de connexion. ## Connexion SSH en mode Rescue Utiliser les identifiants envoyés pour se connecter via SSH. ```bash root@rescue:~# ``` :::important Dans ce qui suit, les données seront effacées. **Penser à faire une sauvegarde de toutes vos données** ::: # Partitionnement, formatage et chiffrement ## Effacement :::warning Vérifier vos sauvegardes ::: ```bash wipefs -a /dev/sda ``` ## Partitionnement Création de la partition MBR ```bash parted -a optimal /dev/sda mklabel msdos ``` Création de la partition de démarrage ```bash # Create first 512MiB partition parted /dev/sda -a optimal mkpart primary 0% 512MiB ``` Création de la partition principale ```bash # Create partition in remaining disk space parted /dev/sda -a optimal mkpart primary 512MiB 100% ``` Définition de la partition bootable (`sda1`) ```bash parted /dev/sda set 1 boot on ``` ## Préparation du système d'installation ### Installation des paquets ```bash apt update && apt install -y cryptsetup lvm2 debian-keyring ``` ### Debootstrap de Debian On va sur la page correspondant à la distribution à installer: [Debian -- Package Download Selection -- debootstrap_1.0.123_all.deb](https://packages.debian.org/bullseye/all/debootstrap/download) Récupération du paquet: ```bash wget http://ftp.fr.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.123_all.deb ``` On l'exécute: ```bash dpkg -i debootstrap*.deb && rm -f debootstrap*.deb ``` ## Formattage ```bash mkfs.ext4 /dev/sda1 ``` ## Création du volume chiffré ```bash cryptsetup -q -s 512 -c aes-xts-plain64 luksFormat /dev/sda2 ``` ```bash cryptsetup luksDump /dev/sda2 | grep UUID | awk '{print $2}' ``` :::information Récupérer l'UUID, il servira plus tard: le noter précieusement ::: ```bash cryptsetup luksOpen /dev/sda2 root mkfs.ext4 /dev/mapper/root mount /dev/mapper/root /mnt ``` ## Préparation montage pour boot ```bash mkdir /mnt/boot mount /dev/sda1 /mnt/boot ``` ```bash apt install -y debian-keyring debootstrap --arch amd64 stable /mnt https://deb.debian.org/debian/ ``` # Chroot et configuration ```bash mount -o bind /dev /mnt/dev mount -t proc proc /mnt/proc mount -t sysfs sys /mnt/sys ``` ## Chroot Execute command: ```bash chroot /mnt /bin/bash ``` ### Installation de `ifupdown` ``` sudo apt install ifupdown ``` Configuration des interfaces réseau: ```bash cat << EOF > /etc/network/interfaces auto lo iface lo inet loopback auto eth0 allow-hotplug eth0 iface eth0 inet dhcp EOF cat << EOF > /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 EOF _hostname=caladan _domain=aezi.fr echo "$_hostname" > /etc/hostname echo "127.0.1.1 $_hostname.$_domain $_hostname" >> /etc/hosts ``` ### Configuration de l'heure ```bash echo "Europe/Paris" > /etc/timezone dpkg-reconfigure -f noninteractive tzdata ``` ### Configuration du gestionnaire APT ```bash cat << EOF > /etc/apt/sources.list deb http://deb.debian.org/debian bullseye main contrib non-free deb-src http://deb.debian.org/debian bullseye main contrib non-free deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free deb http://deb.debian.org/debian bullseye-updates main contrib non-free deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free deb http://deb.debian.org/debian bullseye-backports main contrib non-free deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free EOF ``` ### Désactivation de l'installation des paquest suggérés/recommandés ```bash cat << EOF > /etc/apt/apt.conf.d/999aptsettings APT::Install-Recommends "0"; APT::Install-Suggests "0"; EOF ``` # Installation des paquets nécessaires ```bash apt update ``` ```bash apt install -y busybox console-setup cryptsetup dropbear grub-pc initramfs-tools kbd linux-image-amd64 linux-perf locales ssh dropbear-initramfs cryptsetup-initramfs ``` ```bash mkdir /root/.ssh && chmod 600 /root/.ssh mkdir /etc/dropbear-initramfs/ && chmod 600 /etc/dropbear-initramfs/ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyzZAymNeWxeDjSUzkyEJLzwGqZt+VvdmidomWL0QLb lauhub@Mac-15-Laurent.local" >> /root/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyzZAymNeWxeDjSUzkyEJLzwGqZt+VvdmidomWL0QLb lauhub@Mac-15-Laurent.local" >> /etc/dropbear-initramfs/authorized_keys echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIyit1IimUJbT7ZnVfUiGZb49uZJnTTHVSWFxCiBdiwKm9kVXUiegxbTH+Mks1a0qdYVJgA1yHmfoZTEoDlJbqgZ82xY8ZNh1bBTrHUXqE3tAcIdM1Sn8lm1zoxUOnGlOdDNG5QvteY+BceIZq9dn8e3XYmhDuZ5YpkM1Dp/4hWTkxmpjhMvT7JKyE+r2/TYLOUatm4tl7ythDzMINciWKsNGCYderf1fhRPmgInPJlOS0bdOCxOivVmdq6lnB++hfRdu/fDQIdr1R7GyxunqwVWhCtTHKyuIgcuDCAKQTDGKgwwuVQ2SJOPjNvSPz5I4B2UBBRxhecAjR6o5smzuV laurent.hubert@aezi.fr" >> /etc/dropbear-initramfs/authorized_keys echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIyit1IimUJbT7ZnVfUiGZb49uZJnTTHVSWFxCiBdiwKm9kVXUiegxbTH+Mks1a0qdYVJgA1yHmfoZTEoDlJbqgZ82xY8ZNh1bBTrHUXqE3tAcIdM1Sn8lm1zoxUOnGlOdDNG5QvteY+BceIZq9dn8e3XYmhDuZ5YpkM1Dp/4hWTkxmpjhMvT7JKyE+r2/TYLOUatm4tl7ythDzMINciWKsNGCYderf1fhRPmgInPJlOS0bdOCxOivVmdq6lnB++hfRdu/fDQIdr1R7GyxunqwVWhCtTHKyuIgcuDCAKQTDGKgwwuVQ2SJOPjNvSPz5I4B2UBBRxhecAjR6o5smzuV laurent.hubert@aezi.fr">> /root/.ssh/authorized_keys ``` ```bash sed -i.old s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"net.ifnames=0\ biosdevname=0\ ip=:::::eth0:dhcp\"/g /etc/default/grub ``` # Dropbear configuration [LUKS encryption: Enable remote ssh unlocking - iotechonline](https://iotechonline.com/luks-encryption-enable-remote-ssh-unlocking/) On va configurer Dropbear en éditant le fichier `/etc/dropbear-initramfs/config` On y place les options suivantes: ```bash DROPBEAR_OPTIONS="-p 64357 -s -j -k -I 60" ``` :::information J'ai essayé cela, mais cela ne boote pas après avoir déverrouillé et on reste bloqué dans l'initramfs: ``` #GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 ip=dhcp rd.neednet=1" GRUB_CMDLINE_LINUX="break=mount net.ifnames=0 biosdevname=0 ip=dhcp" ``` [initrd - How can I force a Ubuntu kernel to fail mounting / and drop into the initramfs rescue shell? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/71754/how-can-i-force-a-ubuntu-kernel-to-fail-mounting-and-drop-into-the-initramfs-r) ::: [Re: IP configuration with dhcp — Linux Initramfs](https://www.spinics.net/lists/linux-initramfs/msg04115.html) [11.6. Consistent Network Device Naming Using biosdevname Red Hat Enterprise Linux 7 | Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-consistent_network_device_naming_using_biosdevname) Édition: ```bash nano /etc/initramfs-tools/initramfs.conf ``` Changer: ``` BUSYBOX=auto ``` En : ``` BUSYBOX=y ``` Et ajouter ``` DROPBEAR=y ``` Modification du UUID de grub: ```bash GRUB_DEVICE_UUID=b0c29427-58a9-4249-ac28-65b5ca5ff454 ``` Éventuellement essayer: ```bash #GRUB_DISABLE_LINUX_UUID=true ``` ```bash update-grub && update-initramfs -u -k all ``` ### Réparation de grub ??? ```bash grub-mkconfig -o /boot/grub/grub.cfg grub-install /dev/sda ``` ## Démontage ```bash exit ``` Puis : ```bash umount /mnt/{boot,dev,proc,sys} umount /mnt cryptsetup luksClose root ``` # Dépannage en cas de non démarrage ## Remontage ```bash cryptsetup luksOpen /dev/sda2 root ``` Saisir passphrase ```bash mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot mount -o bind /dev /mnt/dev mount -t proc proc /mnt/proc mount -t sysfs sys /mnt/sys chroot /mnt /bin/bash ``` # Les fingerprints du serveur ``` 256 SHA256:8j3WCkyhX10xNjWC7Yc54ZbhPlr9aoP7lWL7gxo36lM root@rescue.ovh.net (ECDSA) root@rescue:/# ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 256 SHA256:qOyLf0akhO3B0OOS/TFzsrOegE7IkQ6uthWSI1nvAIE root@rescue.ovh.net (ED25519) root@rescue:/# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 3072 SHA256:e+riHM3n7uYYswwwfXFjGflHGugvAxl8jY0NXbZ6CW0 root@rescue.ovh.net (RSA) ``` # Déverrouillage du serveur caladan ```bash ssh kimunlock cryptroot-unlock ``` ---aoff ``` root@rescue:/# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: bond0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 02:13:99:4b:11:83 brd ff:ff:ff:ff:ff:ff 3: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 0e:15:d8:d1:a7:ab brd ff:ff:ff:ff:ff:ff 4: ifb0: mtu 1500 qdisc noop state DOWN group default qlen 32 link/ether 32:4b:d6:0e:a8:a6 brd ff:ff:ff:ff:ff:ff 5: ifb1: mtu 1500 qdisc noop state DOWN group default qlen 32 link/ether 6a:1e:f2:cc:2d:de brd ff:ff:ff:ff:ff:ff 6: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:22:4d:aa:76:1a brd ff:ff:ff:ff:ff:ff inet 37.187.3.102/24 brd 37.187.3.255 scope global eth0 valid_lft forever preferred_lft forever inet6 2001:41d0:a:366::1/128 scope global valid_lft forever preferred_lft forever inet6 fe80::222:4dff:feaa:761a/64 scope link valid_lft forever preferred_lft forever 7: teql0: mtu 1500 qdisc noop state DOWN group default qlen 100 link/void 8: tunl0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 9: gre0@NONE: mtu 1476 qdisc noop state DOWN group default qlen 1000 link/gre 0.0.0.0 brd 0.0.0.0 10: gretap0@NONE: mtu 1476 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 11: erspan0@NONE: mtu 1464 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 12: sit0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 13: ip6tnl0@NONE: mtu 1452 qdisc noop state DOWN group default qlen 1000 link/tunnel6 :: brd :: permaddr 5ec5:5fd5:2816:: root@rescue:/# ip r default via 37.187.3.254 dev eth0 37.187.3.0/24 dev eth0 proto kernel scope link src 37.187.3.102 ```