New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I was able to boot ISO from recovery, by installing qemu, then using physical disk as the disk for the qemu, then connecting to the qemu using vnc.
I created this account just to tell you that I have written a tutorial on my blog.
https://rinaldojonathan.com/en/cara-buat-virtual-kvm-di-server-ovh-kimsufi-soyoustart/
Feel free to comment here or there, I would help.
Awesome. Will try. So I will be able to install centos? In your example you have setup ubuntu
Yes, just get the centos iso, preferred the smallest one.
wget -O /tmp/installer.iso "whatever iso you want to boot"
I also tried clonezilla. It does work, in case you want to move whole server installation from somewhere else.
I was able to start QEMU with Centos minimal. Now, would you happen to know best way to setup Full Disk Encryption via luks? In that way, upon boot, you are asked for a password and then use https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/ to set the pass phrases of the encrypted disc and boot? Any help appreciated. Thnx
There's also netboot.xyz - probably not at all straightforward to finagle on a kimsufi - would at least be quite a bit trickier given no console access!
But for future reference - for a VPS or server with console access - the general process could go something like:
(as per @WSS ...)
"Once you have the installer loaded, break to shell, dd if=/dev/zero of=/dev/vda bs=1024k count=10; return to installer and install OS."
(netboot.xyz provides an easy interface to download and boot any ISO)
No i never used that.
But I suggest you to just encrypt it like usual, then try to reboot. Does it boot?
If the encryption is software based (not tied to hwid or something), I think it will work. But idk.
But hey, it is still empty server. It doesnt hurt to try, just a little wasted time lol.
This is interesting. I am not sure if I am understanding it right, but this is like an always on boot for the server?
It will halt upon boot, waiting for a password to unlock the disk I believe. Since there is no kvm, nothing can happen
from their FAQ
I've played with it just a bit, not enough to fully understand or explain all the gory details.
It's definitely a useful tool to know about especially when using (KVM) VPS providers who might not support directly loading custom ISO - it gives you a relatively easy way to DIY booting a different ISO via IPXE. (You'll probably be on your own for support from that provider after that, of course.)
The QEMU in ramdisk method would be another way to go on VPS as well.
(Thanks @rinaldohack for posting the link to a writeup about doing this on kimsufi - will check it out!)
This is the problem with FDE for KS and similar machines where there is no KVM to connect and interact during booting.
The only real option is to setup dropbear or similar SSH server via initrd (remember unencrypted /boot is required - in theory this is not tamperproof) via which you can login, decrypt the FDE and continue the boot sequence as the root mount is now available.
The other lesser-security option is to have a key file in /boot which automatically unlocks FDE and to securely shred the key file during/after booting (automatically via a script). So the next time you want to boot, you'll have to manually copy the keyfile. You can always reboot into rescue mode and scp the key file to boot normally again if something bad happens and you forget/upgrade etc. (so you don't have to worry about not having access to your files).
Here the issue is that if the provider takes control of the machine during the (presumably few minute) interval between the boots (when the keyfile is on disk), then in theory they could get access to the contents.
If you boots are few and far between, you can also consider changing the key after every boot as an added security precaution.
In short, without a proper KVM to interact during boot, there's really not much of a reliable/safe way to protect your FDE setup.
Isnt encryption slows down the server?
Am I wrong to not use one?
THIS... this is exactly what I want. Just unable to figure out how to do on this Kimsufi box.
Correct. But my aim here is to try and make it difficult for someone to easily get hold of my data, were it left encrypted.
Thanks
some slowdown, but generally less of an issue on CPUs that provide hardware-accelerated aes
unless you don't have any info you might prefer to keep private on that server.
(Such as, for example, ssh keys.)
Beyond that, it's a cost-benefit calculation like anything else.
And if you need some higher level of security for anything online, then I'd imagine encryption would just be a small (but important) piece of that puzzle to be solved.
@plumberg How about making things a little different?
Install debian, then Proxmox, keeping disc layout basic unencrypted. Create a virtual machine with whatever OS that you like (Centos) straight from whatever ISO. You'll get much more flexibility and access to a console for the VM. You'll be able to choose encryption during the install partitioning, with Centos. Proxmox 5 VE doesn't have that much of an overhead, IME.
If you don't like a particular setup on the VM, just wipe and create another.
You'll need to mess about with internal IPs/bridge/NAT/ports etc. but there's info available to do so.
Just a thought.
[Note: this is what I do with my KS-7. I've left some capacity, so that if I want to try something out, I just create an additional VM. It also leaves disc space, should I wish to expand an existing VM. I ignore the inbuilt Proxmox firewall and use CSF instead due to familiarity and additional features.]
Absolutely good to try. But my concern here is with proxmox running, my vms encryption keys would be open inspite of being full disk encryption? I am not sure... just a little paranoid again (putting anything on cloud makes it insecure, I know).
Another option I am thinking is mounting a luks encrypted partition after boot in general which will host nextcloud and my data... the decent price point of the ks servers are good for backups and doc access. I have been unsuccessful in trying this setup
Thanks.
@plumberg You don't need to store the encryption keys at all on the VM. You can open a console within (https:// connected) Proxmox at boot time and supply a password. Just as you were hoping to do originally. ;-)
Sorry if I wasn't clear earlier. What I meant is the passsword to open the vm will be accessible to proxmox somewhere? Or I am overthinking here....
Nope, doesn't have to be stored: your VM will halt booting until you open a console in Proxmox, to manually key in the password, by default.
@plumberg I rattled up a quick test, selecting encryption during Centos install.. works as expected..
https://ibb.co/8K53C2j
Awesome. Thank you. Never used proxmox (debian based).
I actually found some articles where one could do dropbear on debian which would allow unlock of luks volume over network. So proxmox may not be needed.
Maybe that is something which may work on kimsufi, who knows.
This'll get you off to a good start, though as said, I ignore the firewall in favour of CSF:
https://www.kiloroot.com/secure-proxmox-install-sudo-firewall-with-ipv6-and-more-how-to-configure-from-start-to-finish/
https://www.kiloroot.com/proxmox-kimsufi-ovh-soyoustart-ipv6-host-multiple-containers-and-virtual-machines-on-a-single-kimsufi-server-using-ipv6-and-proxmox/
Kimsufi. In normal rescue mode you will have a debian system giving you ... -cdrom /mnt/SL-7.2-DVD-x86_64-2016-02-02.iso -hda /dev/sda -boot d ... mount them and unsquash a ready linux system and customize it to the
iso environmental certification
Did any try Windows on Kimsufi vps using this method? I tried a while ago and it died with BSOD repeatedly
Yeah it doesn't work like that for an VPS either it needs to have nestested virt enabled or Install the windows locally using virtualbox and DD it.