Configuring full disk encryption for Debian 12 Print

This is still a work-in-progress draft post for now.

1. To enable full disk encryption, you will need to complete a manual installation of Debian. The first step in this process is to power off your VPS in the client portal and open a support ticket to request that your VPS is set to boot from the Debian installation DVD.
2. Once this has been set up by our support team, you will be able to access the virtual console to complete the installation. Use the "VNC access" button to launch the virtual console for your VPS in the client portal.
3. Proceed to set the desired language, location, and keyboard layout. Note that non-US/UK layouts may produce odd results for special characters due to limitations of the virtual console.
4. The installer will attempt to configure the VPS network with DHCP, but this will fail. Continue to configure the network manually.
5. The support team will have provided you with the necessary addresses to enter in the next steps.
6. You will then be able to enter your desired hostname.
7. Leave the root password blank, as this will disable the root account and instead allow you to create a non-root user which has sudo access by default. You will need to enter a password for this account for now, but will be able to add an SSH key and remove the password in a later step.
8. At the "Partition disks" screen, select "Guided - use entire disk and set up encrypted LVM". There should be only a single disk to choose from for this in the next screen.
9. Unless you have specific requirements, you can select to place all files in one partition.
10. You will then be asked to confirm the changes, as the next step will make changes to the disk that cannot be undone.
11. Once the disk has been overwritted with random data, it will request that you enter a passphrase that can be used to unlock the disk. If you do not enable a method of entering this over SSH later, this will need to be typed by you into the VNC console when a reboot occurs, and so a random passphrase (sequence of words) is best for this rather than a random password (sequence of characters). Refer to our guide on generating passphrases for our recommended method.
12. You'll then be asked how much of the disk space should be used by the automated partitioning, and the default value will be to use all the space. You can then finish partitioning and have the changes written to the disk.
13. After configuring the package repositories, you'll be able to select the package collections you'd like to install. You should remove the desktop environment options, and add the SSH server option, but your requirements may vary.
14. Once the packages are installed, select to install GRUB to the primary drive, and then select the QEMU hard drive as the disk to install to.
15. The installation is now complete and you can select Continue to reboot into the new system. Once the system has rebooted and you see the Debian installer boot menu again, select "Power Off" in the client portal and follow up on your support ticket to request that your VPS is switched to boot from the hard drive again.
16. When your VPS is rebooted, the first thing you'll now see when viewing the VNC console is that you must enter your disk encryption passphrase. Type this in and press Enter.
17. You'll now be able to login using the user created with the installer, and you can proceed now either by SSH or in the VNC console. Using SSH will reduce the amount of typing required.
18. Run the following commands to complete the setup of the VPS, among other things this will complete the setup of networking including IPv6:
    sudo apt-get install -y --no-install-recommends qemu-guest-agent cloud-init cloud-guest-utils tuned
sudo systemctl enable qemu-guest-agent --now
sudo systemctl enable cloud-init.service
sudo systemctl enable fstrim.timer
sudo systemctl enable tuned --now
sudo tuned-adm profile virtual-guest
19. Reboot your VPS with sudo reboot to allow for cloud-init to complete the setup. This will cause your SSH host key to be regenerated, so you may have to remove the old host key from your known_hosts file to be able to reconnect.
20. Remember that as your VPS has rebooted, you will need to enter the decryption passphrase once again via the VNC console. This will be required after every reboot.

It is possible to use dropbear SSH as part of your initramfs to run a lightweight SSH server to allow decryption via SSH, however this requires that the IP address for networking be set statically as we do not offer DHCP configuration on our VPSes. We would be very happy to include a guide for this if anyone would like to contribute one.