How to install Ubuntu 22.04 with full disk encryption

  Introduction

Script installimage Hetzner Rescue System offers an easy way to install various Linux distributions.

This tutorial shows how to use installimage to install an encrypted Ubuntu 22.04 system and add remote unlocking via SSH (dropbear) in the initramfs stored on a separate partition. /boot shows.

Prerequisites

• Hetzner account
• The server was booted to the rescue system.
• RSA, ECDSA, or ED25519 SSH public key
• No private networks are connected in Hetzner Cloud

Step 1 – Create or copy the SSH public key

To unlock the encrypted system remotely, you need an SSH key. You will use this key later to log in to the booted system. The dropbear SSH daemon included in Ubuntu 22.04 only supports RSA and ECDSA keys. If you do not have such a key, you will need to create one. We recommend using ED25519 or ECDSA keys.

For example, to create an SSH key ED25519, run:

ssh-keygen -t ed25519

Copy the public key to the rescue system, e.g. using scp:

scp ~/.ssh/id_ed25519.pub root@<your-host>:/tmp/authorized_keys

Step 2 – Create or copy the installimage configuration file

When installimage is invoked without any options, it starts in interactive mode and opens an editor after selecting a distribution image. After exiting the editor, the installation continues and the corresponding configuration is saved as /installimage.conf on the installed system. In this tutorial, we will pass such a configuration file for direct installation.

Create a /tmp/setup.conf file with the following content or copy it to the server on the rescue system.

Note: Replace Secret with a secure password and adjust the drive name and partitioning as needed.

CRYPTPASSWORD secret
DRIVE1 /dev/sda
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot/efi esp 256M
PART /boot ext4 1G
PART / ext4 all crypt
IMAGE /root/images/Ubuntu-2204-jammy-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

This configuration installs Ubuntu on a drive (/dev/sda) with a separate unencrypted /boot that is required for remote unlocking.

Step 3 – Create or copy the post-installation script

To unlock the encrypted partition remotely, we need to install the dropbear SSH server and add it to the initramfs stored on the unencrypted /boot partition. This also causes dhclient to be included for network configuration, but without anything extra. To enable Hetzner Cloud support, we need to add a hook that includes support for RFC3442 routes.

To perform these additional steps, we need a post-installation script for installimage.

Create a file /tmp/post-install.sh on the rescue system with the following content:

#!/bin/bash
add_rfc3442_hook() {
cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case \$1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/dhclient ]; then
exit 0
fi
. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions
mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF
chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}
remove_unwanted_netplan_config() {
cat << EOF > /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
#!/bin/sh
if [ -d "/run/netplan" ]; then
interface=\$(ls /run/netplan/ | cut -d'.' -f1)
if [ \${interface:+x} ]; then
rm -f /run/netplan/"\${interface}".yaml
fi
fi
EOF
chmod +x /etc/initramfs-tools/scripts/init-bottom/remove_unwanted_netplan_config
}
# Install rfc3442 hook
add_rfc3442_hook
# Adding an initramfs-tools script to remove /run/netplan/{interface}.yaml,
# because it is creating unwanted routes
remove_unwanted_netplan_config
# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs
# Copy SSH keys for dropbear and change the port
cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/
sed -ie 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"/' /etc/dropbear/initramfs/dropbear.conf
dpkg-reconfigure dropbear-initramfs
update-initramfs -u

Important: Make the script executable after installation:

chmod +x /tmp/post-install.sh

Step 4 – Start the installation

Before starting the installation, double-check the contents of the following files:

• /tmp/authorized_keys – Your public SSH key (RSA, ECDSA, or ED25519)
• /tmp/setup.conf – installimage config
• /tmp/post-install.sh – is executable and contains the post-installation script.

You are now ready to start the installation with the following command:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Wait for the installation to complete and check debug.txt for any errors.

Step 5 – Boot the installed system

Once the installation is complete and any errors are resolved, you can run a reboot to restart the server and boot the newly installed system. If you have a KVM connected or via a remote console on a cloud instance, you can watch the boot process.

After a while the server should respond to the ping. Now log in to dropbear via SSH and run cryptroot-unlock to unlock the encrypted partition(s).

• With key ED25519 or ECDSA

ssh -p 2222 root@<your-host>

• With RSA key

In the case of RSA, we must explicitly specify that this key is accepted.

ssh -o "PubkeyAcceptedKeyTypes +ssh-rsa" -p 2222 root@<your-host> -i ~/.ssh/id_rsa

Example:

$ ssh -o "PubkeyAcceptedKeyTypes +ssh-rsa" -p 2222 root@<your-host> -i ~/.ssh/id_rsa
BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cryptroot-unlock 
Please unlock disk luks-80e097ad-c0ab-47ce-9302-02dd316dc45c:

If the password is correct, the boot will continue and you will be automatically disconnected from the temporary SSH session.

After a few seconds, you can log in to your new system.

Attention

This guide is explicitly written for Ubuntu 22.04 only. It may not work on other distributions.