How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server

3246

Posting this here while it applies to everything on your Cloudron, not just Nextcloud.

I love Nextcloud and struggled to find a solution that keeps my data at rest and secure specifically for the app. The easy option is to just encrypt the whole installation medium of your Cloudron, not just Nextcloud.

On bare metal or virtual machines in your home server, this is easy as pie while you install a fresh machine. In the cloud that can often prove a challenge.

I found a super easy way I wanted to share with you using Hetzners Install Image tool:

1. Create a fresh cloud server
2. Reboot it into the rescue system (be sure to note or reset a root password)
3. Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption

4. When you log in, you login into a temporary SSH session to allow you to decrypt the medium. That can be done via your terminal app of choice and the Hetzner KVM virtual console. Enter cryptroot-unlock and your password.

You will need to do this every time your box restarts! If it automatically reboots after updates or due to an error, you should set up a remote alert (e.g. uptime monitor, etc).

5. Once you unlocked the drive, your box will automatically carry on and close your SSH session. So remember to not be surprised to have to log in again

I hope you found this nugget of info useful and I'd love to hear how you roll your own Cloudron.

PS You will not need to install any encryption-related apps in Nextcloud. Your data is already safe at rest now.

murgero

@3246 This is a fantastic little guide!

And yes, to be clear, once the drive is encrypted the data should be safe BUT keep in mind that lots of VPS providers (I don't know about Hetzner to be specific) have kernel modules that run in the background on their VPS nodes. This can still give them access to data if the VPS is booted AND LUKS is unlocked. Always use a VPS provider you trust, keep passwords long, and use encryption wherever possible.

3246

@murgero thanks for your feedback and good points! Good to hear you found it useful.

Trust is an important consideration as well as understanding your threat models and attack vectors

I think Hetzner got their sh*t together and there are some really insightful behind-the-scenes/dc tours on TY too. If your hoster factors in your threat model, I'd suggest you look for a more... dedicated solution than a mainstream hoster #trustnoone

I spent waaayyy too much time on this recently... almost like there was a break in real work

jdaviescoates

@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

I only say this because the one time I choose to use full disk encryption during install I ended up not using that machine for a while and forgetting the password and so I lost everything on that machine because I couldn't access it (admittedly this was in the days before I used a password manager to remember stuff)

3246

@jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

Oh hell yes, that goes without saying although you are right: it probably needs to be stated repeatedly and emphatically

I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down, I need to restore and all my decryption keys etc were locked away (yes, there should have been a copy offline on my device... don't ask!).

jdaviescoates

@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

Do you know if there is a good way to back them all up locally in case that happen?

murgero

@3246 Bitwarden keeps a local cache so I can't imagine why it would not let you see at least cached data.. but to each their own

jdaviescoates

@murgero said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

Bitwarden keeps a local cache

you mean the phone app? or desktop? or both?

I only ever use the browser plugin and the phone app.

murgero

@jdaviescoates yeah it lets me access my passwords even offline, I use phone, plugin, and desktop app.

necrevistonnezr

@jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

@3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

Do you know if there is a good way to back them all up locally in case that happen?

Use the CLI tool!

I use a modified version of this on my local mac (results in a decrypted backup): https://github.com/broizter/BitwardenBackup/blob/master/bitwardenbackup.sh

There's also the "official" version (results in an encrypted backup):
https://bitwarden.com/de-DE/blog/how-to-back-up-and-encrypt-your-bitwarden-vault-from-the-command-line/

jdaviescoates

@necrevistonnezr said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

Use the CLI tool!

I've never investigated that, thanks, I shall now investigate (although I'm generally more of a GUI person than a CLI person although admittedly the latter is far superior for many purposes - and I am still quite often in the terminal)

https://bitwarden.com/help/cli/

JOduMonT

Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?

LoudLemur

Nice! Thank you.

Stardenver

@3246 I assume the procedure is identical in Hetzner VPS and their bare metal servers?

3246

@Stardenver yes it is. I also have it running on baremetal at home/office.

My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.

Happy to expand on this if folks find it useful

3246

@JOduMonT said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?

Yep, this is covering only against scenarios where actors might gain access to the drive or volume your data resides on when the machine is offline.

Think of security as layers of an onion and this is just one layer for one(ish) attack vector.

As part of my information security policy, I need to protect data at rest (e.g. hard drives of servers, laptops, phones and backup media) and prevent unauthorised access when machines are running. So full disk encryption satisfies that requirement nicely and being able to do it from afar on a virtualised or bare-metal system like at Hetzner makes it pretty convenient too.

My concern with home/office is theft and with hosters or data centres in general, that drives may end up being replaced or recycled. Hetzer and hosters like them will have easy physical access, so LUKS protects against someone going to the machine, turning it off and passing the drive on to someone else for whatever reason.

Happy to expand and try to answer any questions, with the caveat that I am not offering professional advice nor does it come with any guarantees