Devuan Excalibur with full-disk encryption on a BitFolk VPS Before starting, I'd recommend grabbing a copy of your BitFolk VPS's network configuration - usually at '/etc/network/interfaces' - from an existing installation to make things easier later when installing Devuan from scratch. We will be using BitFolk's Xen Shell, so make sure you can access it. The Xen Shell page on the BitFolk wiki can help get you started: https://tools.bitfolk.com/wiki/Xen_Shell From the Xen Shell, let's verify using the 'status' command that our VPS is shut down and not running: xen-shell> status Guest: Shutdown Great, we can get started. Let's boot into the rescue environment using the 'rescue' command. xen-shell> rescue Booting rescue instance: dasht ... Debian GNU/Linux 11 rescue hvc0 **************************************** Resetting user password to random value: New user password: hunter2 **************************************** ... rescue login: Once the rescue environment has finished booting, we will be dropped into a 'rescue login:' prompt. As of now, the username is 'user' and the password will be the randomly-generated value output to the screen a few lines earlier. Once logged in, we can check the known disks using 'lsblk': user@rescue:~$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 298.6M 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs xvda 202:0 0 15G 0 disk ├─xvda1 202:1 0 14.2G 0 part ├─xvda2 202:2 0 1K 0 part └─xvda5 202:5 0 842M 0 part xvdb 202:16 0 1G 0 disk xvdc 202:32 0 50G 0 disk In my case 'xvda' is the primary SSD-backed storage, 'xvdb' for use as swap, and 'xvdc' my optional archive storage on SATA HDD (slower). Since Devuan Excalibur is not offered by BitFolk as a supported distribution (you can see a list of them using the 'help install' command in the Xen Shell), we will download and write a copy of the Devuan Excalibur installation image onto 'xvdb', boot it, and do the installation. We will later re-partition xvdb for use as swap space as originally intended. I start by becoming root by running 'sudo -i', then running 'df -h .' to check if there's enough free space in the current partition for downloading a copy of the Excalibur mini.iso. The Excalibur mini.iso is around 64M, so there should be plenty of space on the disk for it. root@rescue:~# command -v wget || apt update; apt install wget root@rescue:~# wget https://pkgmaster.devuan.org/devuan/dists/excalibur/main/installer-amd64/current/images/netboot/mini.iso root@rescue:~# ls -lh mini.iso -rw-r--r-- 1 root root 64M Jan 11 07:15 mini.iso I'll write it to 'xvdb' as explained above and issue a 'sync' for good measure: root@rescue:~# dd if=mini.iso of=/dev/xvdb bs=4M status=progress 16+0 records in 16+0 records out 67108864 bytes (67 MB, 64 MiB) copied, 0.0529485 s, 1.3 GB/s root@rescue:~# sync At this point we will create and write a new empty GPT partition table onto 'xvda' to prevent BitFolk's GRUB from booting into our VPS's existing operating system. *WARNING* this will make the currently installed operating system and any other data stored on your VPS effectively inaccessible, so make sure you have backed up any data you'd like to keep. root@rescue:~# fdisk /dev/xvda Welcome to fdisk (util-linux 2.36.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): g Created a new GPT disklabel (GUID: FB261B60-D062-4C4A-825A-536B9C30EFA6). The device contains 'dos' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details. Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. Let's check with 'lsblk' again to make sure our disk layouts look as expected: root@rescue:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT loop0 7:0 0 298.6M 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs xvda 202:0 0 15G 0 disk xvdb 202:16 0 1G 0 disk ├─xvdb1 202:17 0 58M 0 part ├─xvdb2 202:18 0 3.5M 0 part └─xvdb3 202:19 0 6M 0 part xvdc 202:32 0 50G 0 disk Great, we can now shut down and exit the rescue environment: root@rescue:~# poweroff Back at the Xen Shell, issuing the 'boot' command should boot our VPS and drop us into BitFolk's GNU GRUB and subsequently into that of the Excalibur mini.iso. xen-shell> boot ... GNU GRUB version 2.11 +----------------------------------------------------------------------------+ |*Install | | Advanced options ... | | Accessible dark contrast installer menu ... | | | | | | | | | | | | | | | | | +----------------------------------------------------------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, `e' to edit the commands before booting or `c' for a command-line. ESC to return previous menu. I'll choose 'Advanced options ...', then at the next screen, I will press 'e' on '... Expert install' to edit it and add 'console=hvc0' to the 'linux' line to specify the right console so we can see the output in our Xen console: GNU GRUB version 2.11 +----------------------------------------------------------------------------+ |setparams '... Expert install' | | | | set background_color=black | | linux /linux priority=low vga=788 console=hvc0 --- | | initrd /initrd.gz | | | | | | | | | | | | | | | +----------------------------------------------------------------------------+ Minimum Emacs-like screen editing is supported. TAB lists completions. Press Ctrl-x or F10 to boot, Ctrl-c or F2 for a command-line or ESC to discard edits and return to the GRUB menu. We can now boot into the Expert install by pressing 'Ctrl-x', which should present us with the Devuan installer's main menu: ┌─────────┤ [?] Devuan installer main menu ├─────────┐ │ │ │ Choose the next step in the install process: │ │ │ │ Choose language │ │ Access the installer using a Braille display │ │ Configure the keyboard │ │ Detect network hardware │ │ Configure the network │ │ Choose a mirror of the Devuan archive │ │ Download installer components │ │ Select an init system │ │ Change debconf priority │ │ Save debug logs │ │ Execute a shell │ │ Abort the installation │ │ │ └────────────────────────────────────────────────────┘ Here we can start working through the steps as we would for a typical Devuan install. For the 'Configure the network' step, auto-configuring the network might work for you, but it didn't for me, so I entered the details manually, starting with the IP address and netmask: ┌─────────────────┤ [!!] Configure the network ├──────────────────┐ │ │ │ The IP address is unique to your computer and may be: │ │ │ │ * four numbers separated by periods (IPv4); │ │ * blocks of hexadecimal characters separated by colons (IPv6). │ │ │ │ You can also optionally append a CIDR netmask (such as "/24"). │ │ │ │ If you don't know what to use here, consult your network │ │ administrator. │ │ │ │ IP address: │ │ │ │ 85.119.82.6/21_________________________________________________ │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────┘ Then the gateway: ┌────────────────────┤ [!!] Configure the network ├─────────────────────┐ │ │ │ The gateway is an IP address (four numbers separated by periods) that │ │ indicates the gateway router, also known as the default router. All │ │ traffic that goes outside your LAN (for instance, to the Internet) is │ │ sent through this router. In rare circumstances, you may have no │ │ router; in that case, you can leave this blank. If you don't know │ │ the proper answer to this question, consult your network │ │ administrator. │ │ │ │ Gateway: │ │ │ │ 85.119.80.1__________________________________________________________ │ │ │ │ │ │ │ └───────────────────────────────────────────────────────────────────────┘ And the name servers: ┌────────────────────┤ [!!] Configure the network ├─────────────────────┐ │ │ │ The name servers are used to look up host names on the network. │ │ Please enter the IP addresses (not host names) of up to 3 name │ │ servers, separated by spaces. Do not use commas. The first name │ │ server in the list will be the first to be queried. If you don't want │ │ to use any name server, just leave this field blank. │ │ │ │ Name server addresses: │ │ │ │ 85.119.80.232 85.119.80.233__________________________________________ │ │ │ │ │ │ │ └───────────────────────────────────────────────────────────────────────┘ For the 'Download installer components' step, you'll probably want to select at least these components for inclusion: - crypto-dm-modules - fdisk-udeb - parted-udeb - rescue-mode Your installer menu should look something like this after downloading the additional components: ┌─────────┤ [?] Devuan installer main menu ├─────────┐ │ │ │ Choose the next step in the install process: │ │ │ │ Choose language - │ │ Access the installer using a Braille display ▒ │ │ Configure the keyboard ▒ │ │ Detect network hardware ▒ │ │ Configure the network ▒ │ │ Choose a mirror of the Devuan archive 0 │ │ Download installer components ▒ │ │ Set up users and passwords ▒ │ │ Configure the clock ▒ │ │ Detect disks ▒ │ │ Partition disks ▒ │ │ Install the base system ▒ │ │ Configure the package manager ▒ │ │ Select and install software . │ │ │ └────────────────────────────────────────────────────┘ At the 'Partition disks' step, for 'Partitioning method' we will scroll down and choose 'Manual', and will be presented with something like this: ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ This is an overview of your currently configured partitions and mount │ │ points. Select a partition to modify its settings (file system, mount │ │ point, etc.), a free space to create partitions, or a device to │ │ initialize its partition table. │ │ │ │ Guided partitioning - │ │ Configure software RAID 0 │ │ Configure the Logical Volume Manager ▒ │ │ Configure encrypted volumes ▒ │ │ Configure iSCSI volumes ▒ │ │ ▒ │ │ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │ │ > 16.1 GB FREE SPACE ▒ │ │ Virtual disk 2 (xvdb) - 1.1 GB Xen Virtual Block Device . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ Now at the partition manager utility, we'll create 2 partitions under 'xvda': one for '/boot' (unencrypted), and the other for '/' (sitting on the LUKS-encrypted partition). Scroll down and select the 'FREE SPACE' under 'Virtual disk 1 (xvda)', then 'Create a new partition'. For partition size enter '550 MB', create the partition at the 'Beginning' of the available space, and at the 'Partition settings' screen, set 'Mount point' to '/boot - static files of the boot loader', and optionally enter a 'Label': ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ You are editing partition #1 of Virtual disk 1 (xvda). No existing │ │ file system was detected in this partition. │ │ │ │ Partition settings: │ │ │ │ Name: dboot - │ │ Use as: Ext4 journaling file system 0 │ │ ▒ │ │ Mount point: /boot ▒ │ │ Mount options: defaults ▒ │ │ Label: dboot ▒ │ │ Reserved blocks: 5% ▒ │ │ Typical usage: standard ▒ │ │ Bootable flag: off . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ Then scroll down and select Done setting up the partition. Back at the partition manager utility, select the remaining 'FREE SPACE', then 'Create a new partition' again. For partition size, confirm the presented default of the remaining available disk space. At the 'Partition settings', change 'Use as' to 'physical volume for encryption' for this partition: ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ You are editing partition #1 of Virtual disk 1 (xvda). No existing │ │ file system was detected in this partition. │ │ │ │ Partition settings: │ │ │ │ Name: - │ │ Use as: physical volume for encryption 0 │ │ Encryption method: Device-mapper (dm-crypt) ▒ │ │ ▒ │ │ Encryption: aes ▒ │ │ Key size: 256 ▒ │ │ IV algorithm: xts-plain64 ▒ │ │ Encryption key: Passphrase ▒ │ │ Erase data: yes . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ Then scroll down and select 'Done setting up the partition'. Now at the partition manager, you should see something like this: ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ This is an overview of your currently configured partitions and mount │ │ points. Select a partition to modify its settings (file system, mount │ │ point, etc.), a free space to create partitions, or a device to │ │ initialize its partition table. │ │ │ │ Configure software RAID - │ │ Configure the Logical Volume Manager ▒ │ │ Configure encrypted volumes ▒ │ │ Configure iSCSI volumes ▒ │ │ 0 │ │ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │ │ > 1.0 MB FREE SPACE ▒ │ │ > #1 549.5 MB f ext4 dboot /boot ▒ │ │ > #2 15.6 GB K crypto not active . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ We'll now select 'Configure encrypted volumes', and confirm that we are okay with writing the current partitioning scheme to the disk to proceed further. At the next menu 'Encryption configuration actions', select 'Create encrypted volumes', and select the right partition for encryption (here '/dev/xvda2', indicated as 'crypto'): ┌─────────────────┤ [!!] Partition disks ├──────────────────┐ │ │ │ Please select the devices to be encrypted. │ │ │ │ You can select one or more devices. │ │ │ │ Devices to encrypt: │ │ │ │ [ ] /dev/xvda free #1 (1MB; FREE SPACE) │ │ [ ] /dev/xvda1 (549MB; ext4) │ │ [*] /dev/xvda2 (15554MB; crypto) │ │ [ ] /dev/xvda free #2 (1MB; FREE SPACE) │ │ [ ] /dev/xvdb2 (3MB) │ │ [ ] /dev/xvdb free #1 (56MB; FREE SPACE) │ │ [ ] /dev/xvdb3 (6MB) │ │ [ ] /dev/xvdb free #2 (1006MB; FREE SPACE) │ │ │ │ │ │ │ └───────────────────────────────────────────────────────────┘ Then back at the 'Encryption configuration actions' screen, this time select 'Finish', and say 'Yes' to erasure of the data on the partition you just selected, confirming you selected the right one. Once erasing the data on the selected partition is done, we'll be prompted to choose an encryption passphrase. Make it a secure one, and make sure to not lose it, otherwise you WILL lose access to all of the data on your VPS. Now at the partition manager we see the following: ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ This is an overview of your currently configured partitions and mount │ │ points. Select a partition to modify its settings (file system, mount │ │ point, etc.), a free space to create partitions, or a device to │ │ initialize its partition table. │ │ │ │ Configure encrypted volumes - │ │ Configure iSCSI volumes ▒ │ │ ▒ │ │ Encrypted volume (xvda2_crypt) - 15.5 GB Linux device-mapper (cry ▒ │ │ > #1 15.5 GB f ext4 0 │ │ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device ▒ │ │ > 1.0 MB FREE SPACE ▒ │ │ > #1 549.5 MB F ext4 dboot /boot ▒ │ │ > #2 15.6 GB K crypto (xvda2_crypt . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ Select the line under 'Encrypted volume (xvda2_crypt)', then in 'Partition settings' scroll up and change 'Use as' to 'Ext4 journaling file system' or if you prefer any of the other file system options presented (e.g. 'btrfs' or 'XFS'), then change 'Mount point' to '/ - the root file system', optionally enter a 'Label', and finally select 'Done setting up the partition': ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ You are editing partition #1 of Encrypted volume (xvda2_crypt). No │ │ existing file system was detected in this partition. │ │ │ │ Partition settings: │ │ │ │ Use as: Ext4 journaling file system - │ │ 0 │ │ Mount point: / ▒ │ │ Mount options: defaults ▒ │ │ Label: droot ▒ │ │ Reserved blocks: 5% ▒ │ │ Typical usage: standard ▒ │ │ ▒ │ │ Erase data on this partition . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ The partition manager should now look similar to the following: ┌────────────────────────┤ [!!] Partition disks ├─────────────────────────┐ │ │ │ This is an overview of your currently configured partitions and mount │ │ points. Select a partition to modify its settings (file system, mount │ │ point, etc.), a free space to create partitions, or a device to │ │ initialize its partition table. │ │ │ │ - │ │ Encrypted volume (xvda2_crypt) - 15.5 GB Linux device-mapper (cry ▒ │ │ > #1 15.5 GB f ext4 / ▒ │ │ Virtual disk 1 (xvda) - 16.1 GB Xen Virtual Block Device 0 │ │ > 1.0 MB FREE SPACE ▒ │ │ > #1 549.5 MB F ext4 dboot /boot ▒ │ │ > #2 15.6 GB K crypto (xvda2_crypt ▒ │ │ > 1.0 MB FREE SPACE ▒ │ │ Virtual disk 2 (xvdb) - 1.1 GB Xen Virtual Block Device . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ We are finally ready to proceed with the rest of the installation, so we'll scroll down and select 'Finish partitioning and write changes to disk'. The installer will prompt us that we haven't set up a swap partition, but that's okay, we can finish the installation without one and make one later. We'll confirm the pending changes to proceed. Back at the main installer menu we'll select 'Install the base system' to begin the installation. Later at the 'Software selection' step, you'll probably want to unselect any graphical desktop environments to preserve disk space, and instead select 'SSH server' and perhaps 'web server' depending on your use-cases for your VPS: ┌───────────────────────┤ [!] Software selection ├────────────────────────┐ │ │ │ At the moment, only the core of the system is installed. To tune the │ │ system to your needs, you can choose to install one or more of the │ │ following predefined collections of software. │ │ │ │ Choose software to install: │ │ │ │ [ ] Devuan desktop environment - │ │ [ ] ... Xfce 0 │ │ [ ] ... MATE ▒ │ │ [ ] ... Cinnamon ▒ │ │ [ ] ... GNOME ▒ │ │ [ ] ... KDE ▒ │ │ [ ] ... LXDE ▒ │ │ [ ] ... LXQt . │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ ┌───────────────────────┤ [!] Software selection ├────────────────────────┐ │ │ │ At the moment, only the core of the system is installed. To tune the │ │ system to your needs, you can choose to install one or more of the │ │ following predefined collections of software. │ │ │ │ Choose software to install: │ │ │ │ [ ] ... LXDE - │ │ [ ] ... LXQt ▒ │ │ [ ] ... GNOME Flashback ▒ │ │ [*] web server ▒ │ │ [ ] Console productivity ▒ │ │ [*] SSH server ▒ │ │ [*] standard system utilities 0 │ │ [ ] Choose a Debian Blend for installation. │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ At the GRUB boot loader installation step, for 'Device for boot loader installation' select '/dev/xvda'. Finally, 'Finish the installation' at the main installer menu. Your VPS will reboot at the end. At the Xen Shell, type 'console' to reattach to the console. If the BitFolk GRUB boots from '/dev/xvdb', press 'Ctrl+]' to detach from the console, then at the Xen Shell type 'destroy' to force poweroff your VPS. Now that we have a Devuan installation on '/dev/xvda', we'll boot into the rescue environment again and make a new empty partition table on '/dev/xvdb' so the BitFolk GRUB doesn't get confused. root@rescue:~# fdisk /dev/xvdb Welcome to fdisk (util-linux 2.36.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. The device contains 'iso9660' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details. Command (m for help): g Created a new GPT disklabel (GUID: 697515E7-C86D-4482-A4EB-A7E69592F330). The device contains 'iso9660' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details. Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. We should now be able to boot into our new Devuan installation. xen-shell> boot ... GNU GRUB version 2.11 +----------------------------------------------------------------------------+ |*Devuan GNU/Linux | | Advanced options for Devuan GNU/Linux | | | | | | | | | | | | | | | | | | | +----------------------------------------------------------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, `e' to edit the commands before booting or `c' for a command-line. ESC to return previous menu. As a reminder, the first time booting into Devuan we'll need to set the right console by pressing 'e' on the 'Devuan GNU/Linux' to edit it and add 'console=hvc0' to the 'linux' line to specify the right console so we can see the output in our Xen console. To persist this, once booted into Devuan, we'll need to edit '/etc/default/grub' and add 'console=hvc0' to 'GRUB_CMDLINE_LINUX', and run 'update-grub' to regenerate the GRUB config. -*- Post-installation steps (optional) ---------------------------------- The rest of this document outlines some post-installation steps I'd typically take after a new Devuan installation. With inspiration from Drew DeVault's new server checklist[1]. - Set root password passwd root - Install Git and etckeeper apt update && apt install git etckeeper - Regenerate sshd host keys # for additional entropy apt update && apt install haveged # back up existing keys bkdir="/etc/ssh/orig-ssh-host-keys-$(date '+%Y%m%d')" mkdir "$bkdir" mv /etc/ssh/ssh_host_* "$bkdir"/ dpkg-reconfigure openssh-server - Add admin user (if not done during installation) adduser admin adduser admin sudo - Add admin's SSH keys mkdir -p ~admin/.ssh cat ~admin/.ssh/authorized_keys<<\EOF TODO: ssh pubkeys here EOF chown -R admin:admin ~admin/.ssh - Add admin user to 'adm' and 'staff' groups - useful for reading 'adm'-owned '/var/log/*.log' files without privilege escalation adduser admin adm adduser admin staff - Make '/usr/local' owned and writable by 'staff' group - useful for installing software into '/usr/local' without privilege escalation find /usr/local -type d -exec chgrp staff {} + find /usr/local -type d -exec chmod g+ws {} + - Disable root login via SSH echo 'PermitRootLogin no' >> /etc/ssh/sshd_config - Disable password login via SSH echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config - Install syslog-ng-core - needed for Fail2ban on Excalibur (at least as of '1.1.0-8'), without it attempts to (un)install Fail2ban fail badly apt update && apt install syslog-ng-core - Install Fail2ban First add a config file to instruct fail2ban to use IP sets: mkdir -p /etc/fail2ban/jail.d cat /etc/fail2ban/jail.d/defaults-debian.local<<\EOF [DEFAULT] usedns = no ignoreip = 127.0.0.1/8 banaction = iptables-ipset-proto6 banaction_allports = iptables-ipset-proto6-allports [sshd] backend = auto enabled = true EOF Then install the 'fail2ban' package, along with 'ipset' and the 'python3-pyinotify' module: apt update && apt install ipset python3-pyinotify fail2ban Courtesy of Bob Proulx on the DNG list[2]. [1] https://drewdevault.com/new-server.html [2] https://lists.dyne.org/lurker/message/20251107.201551.bdb21eb4.en.html 16 February 2026 - marked CC0 1.0