Devuan Excalibur with full-disk encryption on a BitFolk VPS
Before starting, I'd recommend grabbing a copy of your BitFolk
VPS's network configuration - usually
at /etc/network/interfaces - from an existing
installation to make things easier later when installing Devuan
from scratch.
We will be using BitFolk's Xen Shell, so make sure you can access it. The Xen Shell page on the BitFolk wiki can help get you started: https://tools.bitfolk.com/wiki/Xen_Shell
From the Xen Shell, let's verify using the status
command that our VPS is shut down and not running:
xen-shell> status
Guest: Shutdown
Great, we can get started.
Let's boot into the rescue environment using
the rescue command.
xen-shell> rescue
Booting rescue instance: dasht
...
Debian GNU/Linux 11 rescue hvc0
****************************************
Resetting user password to random value:
New user password: hunter2
****************************************
...
rescue login:
Once the rescue environment has finished booting, we will be
dropped into a rescue login: prompt. As of now, the
username is user and the password will be the
randomly-generated value output to the screen a few lines earlier.
Once logged in, we can check the known disks using
lsblk:
user@rescue:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 298.6M 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
xvda 202:0 0 15G 0 disk
├─xvda1 202:1 0 14.2G 0 part
├─xvda2 202:2 0 1K 0 part
└─xvda5 202:5 0 842M 0 part
xvdb 202:16 0 1G 0 disk
xvdc 202:32 0 50G 0 disk
In my case xvda is the primary SSD-backed storage,
xvdb for use as swap, and xvdc my optional
archive storage on SATA HDD (slower).
Since Devuan Excalibur is not offered by BitFolk as a supported
distribution (you can see a list of them using the help install command in the Xen Shell), we will download and
write a copy of the Devuan Excalibur installation image onto xvdb, boot it, and do the installation. We will later
re-partition xvdb for use as swap space as originally
intended.
I start by becoming root by running sudo -i, then
running df -h . to check if there's enough free space
in the current partition for downloading a copy of the Excalibur
mini.iso. The Excalibur mini.iso is around 64M, so there should be
plenty of space on the disk for it.
root@rescue:~# command -v wget || apt update; apt install wget
root@rescue:~# wget https://pkgmaster.devuan.org/devuan/dists/excalibur/main/installer-amd64/current/images/netboot/mini.iso
root@rescue:~# ls -lh mini.iso
-rw-r--r-- 1 root root 64M Jan 11 07:15 mini.iso
I'll write it to xvdb as explained above and issue a
sync for good measure:
root@rescue:~# dd if=mini.iso of=/dev/xvdb bs=4M status=progress
16+0 records in
16+0 records out
67108864 bytes (67 MB, 64 MiB) copied, 0.0529485 s, 1.3 GB/s
root@rescue:~# sync
At this point we will create and write a new empty GPT partition
table onto xvda to prevent BitFolk's GRUB from booting
into our VPS's existing operating system.
*WARNING* this will make the currently installed operating system and any other data stored on your VPS effectively inaccessible, so make sure you have backed up any data you'd like to keep.
root@rescue:~# fdisk /dev/xvda
Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): g
Created a new GPT disklabel (GUID: FB261B60-D062-4C4A-825A-536B9C30EFA6).
The device contains 'dos' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Let's check with lsblk again to make sure our disk
layouts look as expected:
root@rescue:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 298.6M 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
xvda 202:0 0 15G 0 disk
xvdb 202:16 0 1G 0 disk
├─xvdb1 202:17 0 58M 0 part
├─xvdb2 202:18 0 3.5M 0 part
└─xvdb3 202:19 0 6M 0 part
xvdc 202:32 0 50G 0 disk
Great, we can now shut down and exit the rescue environment:
root@rescue:~# poweroff
Back at the Xen Shell, issuing the boot command should
boot our VPS and drop us into BitFolk's GNU GRUB and subsequently into
that of the Excalibur mini.iso.
xen-shell> boot
...
GNU GRUB version 2.11
+----------------------------------------------------------------------------+
|*Install |
| Advanced options ... |
| Accessible dark contrast installer menu ... |
| |
| |
| |
| |
| |
| |
| |
| |
+----------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line. ESC to return
previous menu.
I'll choose Advanced options ..., then at the next
screen, I will press e on ... Expert install
to edit it and add console=hvc0 to the linux
line to specify the right console so we can see the output in our Xen
console:
GNU GRUB version 2.11
+----------------------------------------------------------------------------+
|setparams '... Expert install' |
| |
| set background_color=black |
| linux /linux priority=low vga=788 console=hvc0 --- |
| initrd /initrd.gz |
| |
| |
| |
| |
| |
| |
| |
+----------------------------------------------------------------------------+
Minimum Emacs-like screen editing is supported. TAB lists
completions. Press Ctrl-x or F10 to boot, Ctrl-c or F2 for
a command-line or ESC to discard edits and return to the GRUB menu.
We can now boot into the Expert install by pressing Ctrl-x, which should present us with the Devuan installer's main menu:
┌─────────┤ [?] Devuan installer main menu ├─────────┐
│ │
│ Choose the next step in the install process: │
│ │
│ Choose language │
│ Access the installer using a Braille display │
│ Configure the keyboard │
│ Detect network hardware │
│ Configure the network │
│ Choose a mirror of the Devuan archive │
│ Download installer components │
│ Select an init system │
│ Change debconf priority │
│ Save debug logs │
│ Execute a shell │
│ Abort the installation │
│ │
└────────────────────────────────────────────────────┘
Here we can start working through the steps as we would for a typical Devuan install.
For the Configure the network step, auto-configuring
the network might work for you, but it didn't for me, so I entered the
details manually, starting with the IP address and netmask:
┌─────────────────┤ [!!] Configure the network ├──────────────────┐
│ │
│ The IP address is unique to your computer and may be: │
│ │
│ * four numbers separated by periods (IPv4); │
│ * blocks of hexadecimal characters separated by colons (IPv6). │
│ │
│ You can also optionally append a CIDR netmask (such as "/24"). │
│ │
│ If you don't know what to use here, consult your network │
│ administrator. │
│ │
│ IP address: │
│ │
│ 85.119.82.6/21_________________________________________________ │
│ │
│ <Go Back> <Continue> │
│ │
└─────────────────────────────────────────────────────────────────┘
Then the gateway:
┌────────────────────┤ [!!] Configure the network ├─────────────────────┐
│ │
│ The gateway is an IP address (four numbers separated by periods) that │
│ indicates the gateway router, also known as the default router. All │
│ traffic that goes outside your LAN (for instance, to the Internet) is │
│ sent through this router. In rare circumstances, you may have no │
│ router; in that case, you can leave this blank. If you don't know │
│ the proper answer to this question, consult your network │
│ administrator. │
│ │
│ Gateway: │
│ │
│ 85.119.80.1__________________________________________________________ │
│ │
│ <Go Back> <Continue> │
│ │
└───────────────────────────────────────────────────────────────────────┘
And the name servers:
┌────────────────────┤ [!!] Configure the network ├─────────────────────┐
│ │
│ The name servers are used to look up host names on the network. │
│ Please enter the IP addresses (not host names) of up to 3 name │
│ servers, separated by spaces. Do not use commas. The first name │
│ server in the list will be the first to be queried. If you don't want │
│ to use any name server, just leave this field blank. │
│ │
│ Name server addresses: │
│ │
│ 85.119.80.232 85.119.80.233__________________________________________ │
│ │
│ <Go Back> <Continue> │
│ │
└───────────────────────────────────────────────────────────────────────┘
For the Download installer components step, you'll
probably want to select at least these components for inclusion:
- crypto-dm-modules
- fdisk-udeb
- parted-udeb
- rescue-mode
Your installer menu should look something like this after downloading the additional components:
┌─────────┤ [?] Devuan installer main menu ├─────────┐
│ │
│ Choose the next step in the install process: │
│ │
│ Choose language - │
│ Access the installer using a Braille display ▒ │
│ Configure the keyboard ▒ │
│ Detect network hardware ▒ │
│ Configure the network ▒ │
│ Choose a mirror of the Devuan archive 0 │
│ Download installer components ▒ │
│ Set up users and passwords ▒ │
│ Configure the clock ▒ │
│ Detect disks ▒ │
│ Partition disks ▒ │
│ Install the base system ▒ │
│ Configure the package manager ▒ │
│ Select and install software . │
│ │
└────────────────────────────────────────────────────┘
At the Partition disks step, for
Partitioning method we will scroll down and choose
Manual, and will be presented with something like
this:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ This is an overview of your currently configured partitions and mount │
│ points. Select a partition to modify its settings (file system, mount │
│ point, etc.), a free space to create partitions, or a device to │
│ initialize its partition table. │
│ │
│ Guided partitioning - │
│ Configure software RAID 0 │
│ Configure the Logical Volume Manager ▒ │
│ Configure encrypted volumes ▒ │
│ Configure iSCSI volumes ▒ │
│ ▒ │
│ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │
│ > 16.1 GB FREE SPACE ▒ │
│ Virtual disk 2 (xvdb) - 1.1 GB Xen Virtual Block Device . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Now at the partition manager utility, we'll create 2 partitions
under xvda: one for /boot (unencrypted),
and the other for / (sitting on the LUKS-encrypted
partition).
Scroll down and select the FREE SPACE
under Virtual disk 1 (xvda), then
Create a new partition. For partition size enter
550 MB, create the partition at the Beginning
of the available space, and at the Partition settings
screen, set Mount point to
/boot - static files of the boot loader, and optionally
enter a Label:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ You are editing partition #1 of Virtual disk 1 (xvda). No existing │
│ file system was detected in this partition. │
│ │
│ Partition settings: │
│ │
│ Name: dboot - │
│ Use as: Ext4 journaling file system 0 │
│ ▒ │
│ Mount point: /boot ▒ │
│ Mount options: defaults ▒ │
│ Label: dboot ▒ │
│ Reserved blocks: 5% ▒ │
│ Typical usage: standard ▒ │
│ Bootable flag: off . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Then scroll down and select
Done setting up the partition.
Back at the partition manager utility, select the remaining
FREE SPACE, then Create a new partition
again. For partition size, confirm the presented default of the
remaining available disk space. At the
Partition settings, change Use as to
physical volume for encryption for this partition:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ You are editing partition #1 of Virtual disk 1 (xvda). No existing │
│ file system was detected in this partition. │
│ │
│ Partition settings: │
│ │
│ Name: - │
│ Use as: physical volume for encryption 0 │
│ Encryption method: Device-mapper (dm-crypt) ▒ │
│ ▒ │
│ Encryption: aes ▒ │
│ Key size: 256 ▒ │
│ IV algorithm: xts-plain64 ▒ │
│ Encryption key: Passphrase ▒ │
│ Erase data: yes . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Then scroll down and select
Done setting up the partition.
Now at the partition manager, you should see something like this:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ This is an overview of your currently configured partitions and mount │
│ points. Select a partition to modify its settings (file system, mount │
│ point, etc.), a free space to create partitions, or a device to │
│ initialize its partition table. │
│ │
│ Configure software RAID - │
│ Configure the Logical Volume Manager ▒ │
│ Configure encrypted volumes ▒ │
│ Configure iSCSI volumes ▒ │
│ 0 │
│ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │
│ > 1.0 MB FREE SPACE ▒ │
│ > #1 549.5 MB f ext4 dboot /boot ▒ │
│ > #2 15.6 GB K crypto not active . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
We'll now select Configure encrypted volumes, and
confirm that we are okay with writing the current partitioning scheme
to the disk to proceed further.
At the next menu Encryption configuration actions,
select Create encrypted volumes, and select the right
partition for encryption (here /dev/xvda2, indicated as
crypto):
┌─────────────────┤ [!!] Partition disks ├──────────────────┐
│ │
│ Please select the devices to be encrypted. │
│ │
│ You can select one or more devices. │
│ │
│ Devices to encrypt: │
│ │
│ [ ] /dev/xvda free #1 (1MB; FREE SPACE) │
│ [ ] /dev/xvda1 (549MB; ext4) │
│ [*] /dev/xvda2 (15554MB; crypto) │
│ [ ] /dev/xvda free #2 (1MB; FREE SPACE) │
│ [ ] /dev/xvdb2 (3MB) │
│ [ ] /dev/xvdb free #1 (56MB; FREE SPACE) │
│ [ ] /dev/xvdb3 (6MB) │
│ [ ] /dev/xvdb free #2 (1006MB; FREE SPACE) │
│ │
│ <Go Back> <Continue> │
│ │
└───────────────────────────────────────────────────────────┘
Then back at the Encryption configuration actions
screen, this time select Finish, and say Yes
to erasure of the data on the partition you just selected, confirming
you selected the right one.
Once erasing the data on the selected partition is done, we'll be prompted to choose an encryption passphrase. Make it a secure one, and make sure to not lose it, otherwise you WILL lose access to all of the data on your VPS.
Now at the partition manager we see the following:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ This is an overview of your currently configured partitions and mount │
│ points. Select a partition to modify its settings (file system, mount │
│ point, etc.), a free space to create partitions, or a device to │
│ initialize its partition table. │
│ │
│ Configure encrypted volumes - │
│ Configure iSCSI volumes ▒ │
│ ▒ │
│ Encrypted volume (xvda2_crypt) - 15.5 GB Linux device-mapper (cry ▒ │
│ > #1 15.5 GB f ext4 0 │
│ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │
│ > 1.0 MB FREE SPACE ▒ │
│ > #1 549.5 MB F ext4 dboot /boot ▒ │
│ > #2 15.6 GB K crypto (xvda2_crypt . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Select the line under Encrypted volume (xvda2_crypt),
then in Partition settings scroll up and change
Use as to Ext4 journaling file system
or if you prefer any of the other file system options presented
(e.g. btrfs or XFS), then change
Mount point to / - the root file system,
optionally enter a Label, and finally select
Done setting up the partition:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ You are editing partition #1 of Encrypted volume (xvda2_crypt). No │
│ existing file system was detected in this partition. │
│ │
│ Partition settings: │
│ │
│ Use as: Ext4 journaling file system - │
│ 0 │
│ Mount point: / ▒ │
│ Mount options: defaults ▒ │
│ Label: droot ▒ │
│ Reserved blocks: 5% ▒ │
│ Typical usage: standard ▒ │
│ ▒ │
│ Erase data on this partition . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
The partition manager should now look similar to the following:
┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐
│ │
│ This is an overview of your currently configured partitions and mount │
│ points. Select a partition to modify its settings (file system, mount │
│ point, etc.), a free space to create partitions, or a device to │
│ initialize its partition table. │
│ │
│ - │
│ Encrypted volume (xvda2_crypt) - 15.5 GB Linux device-mapper (cry ▒ │
│ > #1 15.5 GB f ext4 / ▒ │
│ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device 0 │
│ > 1.0 MB FREE SPACE ▒ │
│ > #1 549.5 MB F ext4 dboot /boot ▒ │
│ > #2 15.6 GB K crypto (xvda2_crypt ▒ │
│ > 1.0 MB FREE SPACE ▒ │
│ Virtual disk 2 (xvdb) - 1.1 GB Xen Virtual Block Device . │
│ │
│ <Go Back> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
We are finally ready to proceed with the rest of the installation,
so we'll scroll down and select
Finish partitioning and write changes to disk.
The installer will prompt us that we haven't set up a swap partition,
but that's okay, we can finish the installation without one and make
one later. We'll confirm the pending changes to proceed.
Back at the main installer menu we'll select
Install the base system to begin the installation.
Later at the Software selection step, you'll probably
want to unselect any graphical desktop environments to preserve disk
space, and instead select SSH server and perhaps
web server depending on your use-cases for your VPS:
┌───────────────────────┤ [!] Software selection ├────────────────────────┐
│ │
│ At the moment, only the core of the system is installed. To tune the │
│ system to your needs, you can choose to install one or more of the │
│ following predefined collections of software. │
│ │
│ Choose software to install: │
│ │
│ [ ] Devuan desktop environment - │
│ [ ] ... Xfce 0 │
│ [ ] ... MATE ▒ │
│ [ ] ... Cinnamon ▒ │
│ [ ] ... GNOME ▒ │
│ [ ] ... KDE ▒ │
│ [ ] ... LXDE ▒ │
│ [ ] ... LXQt . │
│ │
│ <Continue> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
┌───────────────────────┤ [!] Software selection ├────────────────────────┐
│ │
│ At the moment, only the core of the system is installed. To tune the │
│ system to your needs, you can choose to install one or more of the │
│ following predefined collections of software. │
│ │
│ Choose software to install: │
│ │
│ [ ] ... LXDE - │
│ [ ] ... LXQt ▒ │
│ [ ] ... GNOME Flashback ▒ │
│ [*] web server ▒ │
│ [ ] Console productivity ▒ │
│ [*] SSH server ▒ │
│ [*] standard system utilities 0 │
│ [ ] Choose a Debian Blend for installation. │
│ │
│ <Continue> │
│ │
└─────────────────────────────────────────────────────────────────────────┘
At the GRUB boot loader installation step, for
Device for boot loader installation
select /dev/xvda.
Finally, Finish the installation at the main installer
menu. Your VPS will reboot at the end. At the Xen Shell, type
console to reattach to the console. If the BitFolk GRUB
boots from /dev/xvdb, press Ctrl+] to detach
from the console, then at the Xen Shell type destroy to
force poweroff your VPS. Now that we have a Devuan installation on
/dev/xvda, we'll boot into the rescue environment again
and make a new empty partition table on /dev/xvdb so the
BitFolk GRUB doesn't get confused.
root@rescue:~# fdisk /dev/xvdb
Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
The device contains 'iso9660' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details.
Command (m for help): g
Created a new GPT disklabel (GUID: 697515E7-C86D-4482-A4EB-A7E69592F330).
The device contains 'iso9660' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
We should now be able to boot into our new Devuan installation.
xen-shell> boot
...
GNU GRUB version 2.11
+----------------------------------------------------------------------------+
|*Devuan GNU/Linux |
| Advanced options for Devuan GNU/Linux |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+----------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line. ESC to return
previous menu.
As a reminder, the first time booting into Devuan we'll
need to set the right console by pressing e
on the Devuan GNU/Linux to edit it and add
console=hvc0 to the linux line
to specify the right console so we can see the output in our
Xen console. To persist this, once booted into Devuan,
we'll need to edit /etc/default/grub and add
console=hvc0 to GRUB_CMDLINE_LINUX,
and run update-grub to regenerate the GRUB config.
Post-installation steps (optional)
The rest of this document outlines some post-installation steps I'd typically take after a new Devuan installation. With inspiration from Drew DeVault's new server checklist.
- Set root password
passwd root
- Install Git and etckeeper
apt update && apt install git etckeeper
- Regenerate sshd host keys
# for additional entropy apt update && apt install haveged # back up existing keys bkdir="/etc/ssh/orig-ssh-host-keys-$(date '+%Y%m%d')" mkdir "$bkdir" mv /etc/ssh/ssh_host_* "$bkdir"/ dpkg-reconfigure openssh-server
- Add admin user (if not done during installation)
adduser admin adduser admin sudo
- Add admin's SSH keys
mkdir -p ~admin/.ssh cat ~admin/.ssh/authorized_keys<<\EOF TODO: ssh pubkeys here EOF chown -R admin:admin ~admin/.ssh
- Add admin user to
admandstaffgroups - useful for readingadm-owned/var/log/*.logfiles without privilege escalationadduser admin adm adduser admin staff
- Make
/usr/localowned and writable bystaffgroup - useful for installing software into/usr/localwithout privilege escalationfind /usr/local -type d -exec chgrp staff {} + find /usr/local -type d -exec chmod g+ws {} + - Disable root login via SSH
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
- Disable password login via SSH
echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config
- Install syslog-ng-core - needed for Fail2ban on Excalibur
(at least as of
1.1.0-8), without it attempts to (un)install Fail2ban fail badlyapt update && apt install syslog-ng-core
- Install Fail2ban
First add a config file to instruct fail2ban to use IP sets:
mkdir -p /etc/fail2ban/jail.d cat /etc/fail2ban/jail.d/defaults-debian.local<<\EOF [DEFAULT] usedns = no ignoreip = 127.0.0.1/8 banaction = iptables-ipset-proto6 banaction_allports = iptables-ipset-proto6-allports [sshd] backend = auto enabled = true EOF
Then install the
fail2banpackage, along withipsetand thepython3-pyinotifymodule:apt update && apt install ipset python3-pyinotify fail2ban
Courtesy of Bob Proulx on the DNG list.