To create a full encrypted disk system it is imperative that we have access to the initial OS installation. Creating after install is very complicated and should be avoided. If the machine fails, we would require full access to the terminal to input the disk encryption password to allow the machine to boot. Remote setups like Hetzner, make this complicated.
For this reason, it is much easier to encrypt a partition, which can be unencrypted after boot when network access is available.
Encryption only protects access to the physical disk. Once the machine/partition has been unlocked and mounted. Disk access is as normal.
An example of a command run at hetzner to setup a machine:
$ installimage -n example.smashdocs.net -r yes -l 1 -i images/Ubuntu-1604-xenial-64-minimal.tar.gz -p /boot:ext2:512M,lvm:vg0:all -v vg0:root:/:ext4:40G,vg0:swap:swap:swap:4G -a
This creates an LVM partition, with a root partition of 40GB. Leaving the remainder of the disk empty for LVM configuration. (Normally the Hetzner LVM setup consumes the entire disk - shrinking disks is slow)
After booting into the system….
Install luks encryption manager:
$ apt-get install cryptsetup-luks
Create lvm partition:
$ lvcreate --name secure -L 100G vg0
Set password for partition:
$ cryptsetup -y luksFormat /dev/vg0/secure
Open luks partition over lvm partition:
$ cryptsetup luksOpen /dev/vg0/secure secure
Make filesystem on encrypted partition:
$ mkfs.ext4 -j /dev/mapper/secure
Mount partition to be used:
$ mount /dev/mapper/secure /secure
On a restart, the partition will not be automatically unencrypted or mounted. It requires human intervention for password input and steps 4 and 6 above
In puppet we deploy init scripts that alert if the partition is not mounted.