Improving your digital security: A Guide to Creating a Disk Encrypted VPS
If you’ve been concerned about data privacy, you’re not alone. I used to host all my services on an in-home physical server. Circumstances changed, and I found myself in an area with limited internet capabilities. While I’d love to be able to afford a dedicated server, my budget simply doesn’t allow it. The solution?A Virtual Private Server (VPS). But just because we’re using third-party services doesn’t mean we have to leave our data completely unprotected through the strategic use of disk encryption.
That said…
Let’s be straight: if you’re here to create a digital Fort Knox, you might want to adjust your expectations. Full disk encryption makes the life of anyone trying to access your data without permission a bit more difficult. But — while your VPS is running, data needs to be decrypted in memory for the system to use it. Which means that the decryption key is loaded somewhere in the RAM and can easily be stolen while your server is running. That’s an easy entry point for someone who knows what they’re doing or is specifically targeting you.
The goal here isn’t to bulletproof your VPS against every possible scenario; it’s to make unauthorized access to your data more expensive in terms of time and resources. Think of it as reducing your surface area of vulnerability. We’re playing a game of risk mitigation, pushing away low-level threats and automated scans. However, if someone with enough expertise or determination targets your system, disk encryption alone won’t stop them. And that’s a reality we have to be conscious of.
In a follow up article we will take this a step further and explore truly confidential computing solutions which aim to also encrypt the RAM, Registers and pages.
Picking Your New Best Friend: The VPS Provider
Before you embark on this journey, you need a VPS that meets specific criteria:
- Ability to mount installation ISOs.
- Console access outside of SSH — Aka VNC or serial.
- Support for full disk encryption on virtual disks
Any VPS matching these requirements will do but I’ve been a big fan of the people over at Servarica, a small company based in Canada. I’ll be using their Salamander Hybrid offer since it offers both a fast but small SSD and a larger but slow HDD.
Reference Setup
4GB RAM
4 vCPU
200GB SSD Disk
4TB Harddisk storage
8TB transfer on 1gbps
1x IPv4
/64 IPv6Step 1 — Boot It Up, ISO Style
First, select your installation ISO — in my case, Debian 12. Access your host’s management console, locate the ISO, click “Mount,” and restart the machine. Simple, right?
Step 2 — Get the Basics Outta the Way
From the “VPS Console” tab we can now begin the installation process.
Now setup your server as you usually would, pick your language, keyboard layout, set up your username and passwords.
Once you get to the network part of the installation, the installer will likely tell you that the network auto-configuration failed, this is normal unless your provider setup a DHCP server for their clients. Don’t fret — simply refer to your VPS details or welcome email for the manual network settings you’ll need.
In this example, take note of the following important information:
Your machine’s IP: 192.210.3.12/24
The gateway providing access to the internet: 192.210.3.1
And the nameservers providing dns resolution: ns1, ns2 but this looks suspiciously like a misconfiguration by the VPS provider. So instead, use a public DNS like 208.67.222.222 and 208.67.220.220
Once prompted, pick manual configuration and use the values above to configure internet access. Do not skip this as it will be a pain later if you do.
Step 3 — Partition like a DJ, Encrypt like a Spy
Now we’re getting to the critical components — partitioning and encryption. Choose ‘Manual setup’ when prompted:
Now depending on how your VPS is setup you may get a variety of different options. But the steps are always the same:
- Sizing partitions
- Enabling encrypted volumes
- Assigning filesystems and mount points
This particular setup looks a bit overwhelming as this VPS uses a RAID setup and has multiple disks. That said we will do the following:
- Create a single 4.3 TB partition on the LVM VG Data. This logical volume is mapping the virtual disks #2 and #3 and will contain my data.
- Create three partitions on Virtual disk #1. This virtual disk is on an SSD and will contain the boot partition, the swap and the root partition
As you can see we now have the following:
- /data formatted with ext4 on disk lvdata partition #1 (4.3TB)
- /boot formatted with ext4 on disk xvda partition #1 (1Gb)
- swap formatted with swap on disk xvda partition #2 (6Gb)
- / formatted with ext4 on disk xvda partition #3 (207Gb)
Now we select “Configure encrypted volumes” and then select the following devices to be encrypted:
- Your data partition /data
- Your root partition /
- And your swap partition
Now you will be asked to confirm your selection for each device. Select “No” for “Erase data”, confirm all devices and then select “Finish”.
You will then have to enter a password for each device which is a chore but you will only have to do it when you reboot your server which shouldn’t happen all that often.
Once you’ve entered your password you will be brought back to the list of disk but now you will see your encrypted volumes on top of the other virtual devices.
Now re-assign the mount points to the encrypted volumes and set the boot partition to bootable and select “Finish partitioning and write changes to the disk”.
Confirm, sit back and relax while the installer formats your partitions.
Step 4 — Finishing up
Now that the hard part is done, all that is left to do is set up your mirror lists (if it doesn’t work go back to your network setup and make sure it is well configured), set up your bootloader (make sure to select the disk with your boot partition) and then reboot.
Now unmount the installation media and reboot your server. You will now be prompted to enter your password for each encrypted device:
Enter your passwords and voilà! You’re now booted into your own encrypted VPS. You can now connect via SSH and continue your setup or stay tuned for part two where we will setup an administration panel for our containerized cloud services.
