doc: documented encrypting /var/lib/libvirt on a VPS

2024-12-04 14:42:53 +01:00 · 2024-12-04 14:42:53 +01:00 · ec8ff87799
parent 31f00c8080
commit ec8ff87799
1 changed files with 31 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -272,3 +272,34 @@ as copy-pasting your public SSH key into the console doesn't work really.
 Make sure the SSH config allows this
 (and turn passwort root access off afterwards).

+
+## Encrypting /var/lib/libvirt partition
+
+**Status: tested with Hetzner VPS, not deployed in production yet**
+
+Messing with file systems and partitions
+should not be done by automation scripts,
+so I created the LUKS-encrypted /dev/sdb partition manually.
+
+(So far, /dev/sdb was added via a Hetzner volume,
+but it can be any partition actually)
+
+To create a partition in the VPS volume
+(which was formatted to ext4 originally),
+- I ran `fdisk /dev/sdb`,
+- entered `o` to create a DOS partition table,
+- added `n` to add a new primary partition, using all available space,
+- and `w` to save to disk and exit.
+
+Then I ran `cryptsetup luksFormat /dev/sdb1`
+and entered the passphrase from `pass 0x90/ararat/sdb-crypt`
+to create a LUKS volume.
+
+Now I could decrypt the new volume with
+`cryptsetup luksOpen /dev/sdb1 sdb_crypt`
+and entering the passphrase from `pass 0x90/ararat/sdb-crypt`.
+
+Finally, I ran `mkfs.ext4`
+to create an ext4 file system
+in the encrypted partition.
+