Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Nextcloud
  3. [💡 Guide] How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server

[💡 Guide] How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server

Scheduled Pinned Locked Moved Nextcloud
nextcloudencryptionhetzner
18 Posts 7 Posters 3.7k Views 8 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • murgeroM murgero

      @3246 This is a fantastic little guide!

      And yes, to be clear, once the drive is encrypted the data should be safe BUT keep in mind that lots of VPS providers (I don't know about Hetzner to be specific) have kernel modules that run in the background on their VPS nodes. This can still give them access to data if the VPS is booted AND LUKS is unlocked. Always use a VPS provider you trust, keep passwords long, and use encryption wherever possible.

      32463 Offline
      32463 Offline
      3246
      wrote on last edited by
      #3

      @murgero thanks for your feedback and good points! Good to hear you found it useful.

      Trust is an important consideration as well as understanding your threat models and attack vectors 🙂

      I think Hetzner got their sh*t together and there are some really insightful behind-the-scenes/dc tours on TY too. If your hoster factors in your threat model, I'd suggest you look for a more... dedicated solution than a mainstream hoster #trustnoone

      I spent waaayyy too much time on this recently... almost like there was a break in real work 😛

      👉 Find our more www.bebraver.online

      1 Reply Last reply
      2
      • 32463 3246

        Posting this here while it applies to everything on your Cloudron, not just Nextcloud.

        I love Nextcloud and struggled to find a solution that keeps my data at rest and secure specifically for the app. The easy option is to just encrypt the whole installation medium of your Cloudron, not just Nextcloud.

        On bare metal or virtual machines in your home server, this is easy as pie while you install a fresh machine. In the cloud that can often prove a challenge.

        I found a super easy way I wanted to share with you using Hetzners Install Image tool:

        1. Create a fresh cloud server
        2. Reboot it into the rescue system (be sure to note or reset a root password)
        3. Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

        https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption

        1. When you log in, you login into a temporary SSH session to allow you to decrypt the medium. That can be done via your terminal app of choice and the Hetzner KVM virtual console. Enter cryptroot-unlock and your password.

        You will need to do this every time your box restarts! If it automatically reboots after updates or due to an error, you should set up a remote alert (e.g. uptime monitor, etc).

        1. Once you unlocked the drive, your box will automatically carry on and close your SSH session. So remember to not be surprised to have to log in again 😉

        I hope you found this nugget of info useful and I'd love to hear how you roll your own Cloudron.

        PS You will not need to install any encryption-related apps in Nextcloud. Your data is already safe at rest now.

        jdaviescoatesJ Offline
        jdaviescoatesJ Offline
        jdaviescoates
        wrote on last edited by
        #4

        @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

        Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

        Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

        I only say this because the one time I choose to use full disk encryption during install I ended up not using that machine for a while and forgetting the password and so I lost everything on that machine because I couldn't access it 😄 (admittedly this was in the days before I used a password manager to remember stuff)

        I use Cloudron with Gandi & Hetzner

        32463 1 Reply Last reply
        2
        • jdaviescoatesJ jdaviescoates

          @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

          Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

          Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

          I only say this because the one time I choose to use full disk encryption during install I ended up not using that machine for a while and forgetting the password and so I lost everything on that machine because I couldn't access it 😄 (admittedly this was in the days before I used a password manager to remember stuff)

          32463 Offline
          32463 Offline
          3246
          wrote on last edited by
          #5

          @jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

          Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

          Oh hell yes, that goes without saying although you are right: it probably needs to be stated repeatedly and emphatically 😄

          I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down, I need to restore and all my decryption keys etc were locked away (yes, there should have been a copy offline on my device... don't ask!).

          👉 Find our more www.bebraver.online

          jdaviescoatesJ murgeroM 2 Replies Last reply
          2
          • 32463 3246

            @jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

            Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

            Oh hell yes, that goes without saying although you are right: it probably needs to be stated repeatedly and emphatically 😄

            I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down, I need to restore and all my decryption keys etc were locked away (yes, there should have been a copy offline on my device... don't ask!).

            jdaviescoatesJ Offline
            jdaviescoatesJ Offline
            jdaviescoates
            wrote on last edited by
            #6

            @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

            I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

            Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

            Do you know if there is a good way to back them all up locally in case that happen?

            I use Cloudron with Gandi & Hetzner

            necrevistonnezrN 1 Reply Last reply
            0
            • 32463 3246

              @jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

              Perhaps add: and save it as a secure note in your password manager, and write it down on a piece of paper safely filed away too.

              Oh hell yes, that goes without saying although you are right: it probably needs to be stated repeatedly and emphatically 😄

              I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down, I need to restore and all my decryption keys etc were locked away (yes, there should have been a copy offline on my device... don't ask!).

              murgeroM Offline
              murgeroM Offline
              murgero
              App Dev
              wrote on last edited by
              #7

              @3246 Bitwarden keeps a local cache so I can't imagine why it would not let you see at least cached data.. but to each their own

              --
              https://urgero.org
              ~ Professional Nerd. Freelance Programmer. ~

              jdaviescoatesJ 1 Reply Last reply
              3
              • murgeroM murgero

                @3246 Bitwarden keeps a local cache so I can't imagine why it would not let you see at least cached data.. but to each their own

                jdaviescoatesJ Offline
                jdaviescoatesJ Offline
                jdaviescoates
                wrote on last edited by
                #8

                @murgero said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                Bitwarden keeps a local cache

                you mean the phone app? or desktop? or both?

                I only ever use the browser plugin and the phone app.

                I use Cloudron with Gandi & Hetzner

                murgeroM 1 Reply Last reply
                0
                • jdaviescoatesJ jdaviescoates

                  @murgero said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                  Bitwarden keeps a local cache

                  you mean the phone app? or desktop? or both?

                  I only ever use the browser plugin and the phone app.

                  murgeroM Offline
                  murgeroM Offline
                  murgero
                  App Dev
                  wrote on last edited by
                  #9

                  @jdaviescoates yeah it lets me access my passwords even offline, I use phone, plugin, and desktop app.

                  --
                  https://urgero.org
                  ~ Professional Nerd. Freelance Programmer. ~

                  1 Reply Last reply
                  1
                  • jdaviescoatesJ jdaviescoates

                    @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                    I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

                    Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

                    Do you know if there is a good way to back them all up locally in case that happen?

                    necrevistonnezrN Online
                    necrevistonnezrN Online
                    necrevistonnezr
                    wrote on last edited by
                    #10

                    @jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                    @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                    I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

                    Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

                    Do you know if there is a good way to back them all up locally in case that happen?

                    Use the CLI tool!

                    I use a modified version of this on my local mac (results in a decrypted backup): https://github.com/broizter/BitwardenBackup/blob/master/bitwardenbackup.sh

                    There's also the "official" version (results in an encrypted backup):
                    https://bitwarden.com/de-DE/blog/how-to-back-up-and-encrypt-your-bitwarden-vault-from-the-command-line/

                    jdaviescoatesJ 1 Reply Last reply
                    3
                    • necrevistonnezrN necrevistonnezr

                      @jdaviescoates said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                      @3246 said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                      I just switched from self-hosted Bitwarden back to 1Password because I managed to shoot myself in my foot when Cloudron was down

                      Um, good point, I shudder to think what I'd do if my Cloudron went down for long and I couldn't access my passwords.

                      Do you know if there is a good way to back them all up locally in case that happen?

                      Use the CLI tool!

                      I use a modified version of this on my local mac (results in a decrypted backup): https://github.com/broizter/BitwardenBackup/blob/master/bitwardenbackup.sh

                      There's also the "official" version (results in an encrypted backup):
                      https://bitwarden.com/de-DE/blog/how-to-back-up-and-encrypt-your-bitwarden-vault-from-the-command-line/

                      jdaviescoatesJ Offline
                      jdaviescoatesJ Offline
                      jdaviescoates
                      wrote on last edited by
                      #11

                      @necrevistonnezr said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                      Use the CLI tool!

                      I've never investigated that, thanks, I shall now investigate (although I'm generally more of a GUI person than a CLI person although admittedly the latter is far superior for many purposes - and I am still quite often in the terminal)

                      https://bitwarden.com/help/cli/

                      I use Cloudron with Gandi & Hetzner

                      1 Reply Last reply
                      0
                      • JOduMonTJ Offline
                        JOduMonTJ Offline
                        JOduMonT
                        wrote on last edited by
                        #12

                        Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?

                        32463 1 Reply Last reply
                        3
                        • L Offline
                          L Offline
                          LoudLemur
                          wrote on last edited by LoudLemur
                          #13

                          Nice! Thank you.

                          brave_f55yRDzwyl.jpg

                          brave_ZtBNqCUv4j.jpg

                          1 Reply Last reply
                          0
                          • 32463 3246

                            Posting this here while it applies to everything on your Cloudron, not just Nextcloud.

                            I love Nextcloud and struggled to find a solution that keeps my data at rest and secure specifically for the app. The easy option is to just encrypt the whole installation medium of your Cloudron, not just Nextcloud.

                            On bare metal or virtual machines in your home server, this is easy as pie while you install a fresh machine. In the cloud that can often prove a challenge.

                            I found a super easy way I wanted to share with you using Hetzners Install Image tool:

                            1. Create a fresh cloud server
                            2. Reboot it into the rescue system (be sure to note or reset a root password)
                            3. Follow the official guide and pick a suitably secure password for the encryption (I would suggest avoiding special characters!)

                            https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption

                            1. When you log in, you login into a temporary SSH session to allow you to decrypt the medium. That can be done via your terminal app of choice and the Hetzner KVM virtual console. Enter cryptroot-unlock and your password.

                            You will need to do this every time your box restarts! If it automatically reboots after updates or due to an error, you should set up a remote alert (e.g. uptime monitor, etc).

                            1. Once you unlocked the drive, your box will automatically carry on and close your SSH session. So remember to not be surprised to have to log in again 😉

                            I hope you found this nugget of info useful and I'd love to hear how you roll your own Cloudron.

                            PS You will not need to install any encryption-related apps in Nextcloud. Your data is already safe at rest now.

                            StardenverS Offline
                            StardenverS Offline
                            Stardenver
                            wrote on last edited by
                            #14

                            @3246 I assume the procedure is identical in Hetzner VPS and their bare metal servers?

                            32463 1 Reply Last reply
                            2
                            • StardenverS Stardenver

                              @3246 I assume the procedure is identical in Hetzner VPS and their bare metal servers?

                              32463 Offline
                              32463 Offline
                              3246
                              wrote on last edited by
                              #15

                              @Stardenver yes it is. I also have it running on baremetal at home/office.

                              My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.

                              Happy to expand on this if folks find it useful 🙂

                              👉 Find our more www.bebraver.online

                              StardenverS 1 Reply Last reply
                              1
                              • JOduMonTJ JOduMonT

                                Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?

                                32463 Offline
                                32463 Offline
                                3246
                                wrote on last edited by 3246
                                #16

                                @JOduMonT said in How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                                Maybe I miss read, but, do we have the same understanding that LUKS and full-disk encryption is only useful when the system is not running; aka the drive is not mounted ?

                                Yep, this is covering only against scenarios where actors might gain access to the drive or volume your data resides on when the machine is offline.

                                Think of security as layers of an onion and this is just one layer for one(ish) attack vector.

                                As part of my information security policy, I need to protect data at rest (e.g. hard drives of servers, laptops, phones and backup media) and prevent unauthorised access when machines are running. So full disk encryption satisfies that requirement nicely and being able to do it from afar on a virtualised or bare-metal system like at Hetzner makes it pretty convenient too.

                                My concern with home/office is theft and with hosters or data centres in general, that drives may end up being replaced or recycled. Hetzer and hosters like them will have easy physical access, so LUKS protects against someone going to the machine, turning it off and passing the drive on to someone else for whatever reason.

                                Happy to expand and try to answer any questions, with the caveat that I am not offering professional advice nor does it come with any guarantees 😉

                                👉 Find our more www.bebraver.online

                                1 Reply Last reply
                                3
                                • 32463 3246 referenced this topic on
                                • 32463 Offline
                                  32463 Offline
                                  3246
                                  wrote on last edited by
                                  #17

                                  This might not apply to you but I thought I'd share an alternative way to have your cake and eat it, in case you don't fancy encrypting the whole Cloudron.

                                  Find out how to move your Nextcloud app data directory to an encrypted volume in my new post.

                                  👉 Find our more www.bebraver.online

                                  1 Reply Last reply
                                  1
                                  • 32463 3246

                                    @Stardenver yes it is. I also have it running on baremetal at home/office.

                                    My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.

                                    Happy to expand on this if folks find it useful 🙂

                                    StardenverS Offline
                                    StardenverS Offline
                                    Stardenver
                                    wrote on last edited by
                                    #18

                                    @3246 said in [💡 Guide] How to install Cloudron/Nextcloud with LUKS full disk encryption on Hetzner cloud server:

                                    @Stardenver yes it is. I also have it running on baremetal at home/office.

                                    My new set up has a main drive that's encrypted and another for local backups, which is also encrypted but unlocks after decrypting the main boot/data drive.

                                    Happy to expand on this if folks find it useful 🙂

                                    Thanks again for your setup guide. Just got a new server and its up and running. May I ask how you'd setup your system, so that additional drives are also encrypted and unlock after decrypting the main drive?

                                    1 Reply Last reply
                                    1
                                    Reply
                                    • Reply as topic
                                    Log in to reply
                                    • Oldest to Newest
                                    • Newest to Oldest
                                    • Most Votes


                                      • Login

                                      • Don't have an account? Register

                                      • Login or register to search.
                                      • First post
                                        Last post
                                      0
                                      • Categories
                                      • Recent
                                      • Tags
                                      • Popular
                                      • Bookmarks
                                      • Search