Setup full disk encryption on a Hetzner cloud CX42 machine. No fancy SSH unlock: you have to go to their web based terminal to enter the disk password on boot.
Notes:
- Their web based terminal is /weird/. You can paste things, but it looks like it's set up for a german keyboard, and many characters change ("http://" into "http;//"), sometimes it converts everything to lowercase after a while, sometimes it enters some capslocks mode. I ended up typing as much as possible by hand, and only use alphanumeric passphrases so there are no surprises when copy-pasting those.
- The (qemu) virtual machine doesn't use EFI, but Legacy Boot. Most setup instructions I found are for EFI systems.
- In the Hetzner UI click the server in the list, go to tab [ISO Images], search for "nix", and mount "NixOS 24.05 (x86_64/minimal)"
- Reboot, and open the terminal. (the's a button on the top with [>_], which is a shortcut for the terminal)
- Wait for boot to be done in the terminal.
-
$ sudo -i -
# sgdisk -o -g -n 1::+5M -t 1:ef02 -n 2::+500M -t 2:8300 -n 3:: -t 3:8300 /dev/sda -
Both of these will ask for the passphrase. See the note above about the funky Hetzner UI.# cryptsetup luksFormat /dev/sda3 # cryptsetup open /dev/sda3 nixenc -
# pvcreate /dev/mapper/nixenc # vgcreate vg /dev/mapper/nixenc # lvcreate -n swap -L 8GB vg # lvcreate -n root -l +100%FREE vg -
# mkfs.ext2 -L boot /dev/sda2 # mkfs.ext4 -L root /dev/vg/root # mkswap -L swap /dev/vg/swap # swapon /dev/mapper/vg-swap # mount /dev/mapper/vg-root /mnt # mkdir /mnt/boot # mount /dev/sda2 /mnt/boot -
# nixos-generate-config --root /mnt # nix-channel --add https://nixos.org/channels/nixos-24.05 nixos # nix-channel --update -
Also check it. It's in a file so you later can get the UUID via vim magic. You'll need the UUID which is on the line with "sda3 part [this is the UUID you're looking for]"# lsblk -o name,type,mountpoint,uuid > /tmp/blk -
edit configuration.nix: add:# cd /mnt/etc/nixosboot.loader.grub.enableCryptodisk = true;
add:boot.loader.grub.device = "/dev/sda"
(also set hostname + timezone if you want)
edit hardware-configuration.nix:
add:boot.initrd.luks.devices = { root = { preLVM = true; allowDiscards = true; device = "/dev/disk/by-uuid/<uuid of /dev/sda3>"; } ]; -
Takes a few minutes, also asks for a root password, again, see the note about the funky terminal.# nixos-install - In the Hetzner UI, unmount the ISO we mounted at the start.
-
# reboot
This should now give a bootable nixos system, and it should ask for the disk password (in their terminal).
From here on you can enable SSH, but that's all up to you.
I did:
login as root
# nix-shell -p vim
# vim /etc/nixos/configuration.nix
enable the services.openssh.enable = true; line
add: services.openssh.settings.PermitRootLogin = "yes";
enable add vim to the "environment.systemPackages". You might do that the first time you touched this file, actually.
# nixos-rebuild switch
Wait while it's busy.
Finally, from you local terminal:
$ ssh-copy-id [email protected]
You now have a machine you can SSH into, and you can set it up as you want (and then eventually disable root SSH againh).
EFI, but they are clean and it's for modern nix:
https://blog.kolaente.de/2021/11/installing-nixos-with-encrypted-btrfs-root-device-and-home-manager-from-start-to-finish/
Version for a Legacy BIOS (which Hetzner gives us), but older Nix and Grub:
https://discourse.nixos.org/t/full-encrypted-nixos-system-on-legacy-boot-with-secrets-and-remote-unlock-for-unstable-20-03/8279/6