From ec8ff87799bc3c83ce2d0b7713c0261b4c010660 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Wed, 4 Dec 2024 14:42:53 +0100
Subject: [PATCH] doc: documented encrypting /var/lib/libvirt on a VPS

---
 README.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/README.md b/README.md
index 1265b5b..3ba2bd8 100644
--- a/README.md
+++ b/README.md
@@ -272,3 +272,34 @@ as copy-pasting your public SSH key into the console doesn't work really.
 Make sure the SSH config allows this
 (and turn passwort root access off afterwards).
 
+
+## Encrypting /var/lib/libvirt partition
+
+**Status: tested with Hetzner VPS, not deployed in production yet**
+
+Messing with file systems and partitions
+should not be done by automation scripts,
+so I created the LUKS-encrypted /dev/sdb partition manually.
+
+(So far, /dev/sdb was added via a Hetzner volume,
+but it can be any partition actually)
+
+To create a partition in the VPS volume
+(which was formatted to ext4 originally),
+- I ran `fdisk /dev/sdb`,
+- entered `o` to create a DOS partition table,
+- added `n` to add a new primary partition, using all available space,
+- and `w` to save to disk and exit.
+
+Then I ran `cryptsetup luksFormat /dev/sdb1`
+and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
+to create a LUKS volume.
+
+Now I could decrypt the new volume with
+`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
+and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.
+
+Finally, I ran `mkfs.ext4`
+to create an ext4 file system
+in the encrypted partition.
+