Encrypting an existing Linux VPS (Debian/Ubuntu)

This guide explains how to migrate an existing, unencrypted Debian or Ubuntu VPS to a fully encrypted setup (LUKS) with a separate boot partition.

Step 1: Boot into Rescue Mode

To manipulate the root partition, it must not be mounted. We will use the Tilaa Rescue Mode.

1. Log in to the Tilaa Dashboard and go to your VPS.
2. Under Tasks, select Start in rescue mode.
3. Once the status shows "Rescue Mode", open the Video Display.
4. Select "Boot SystemRescue using default options" (or wait 20 seconds).

Enable SSH for easier copy-pasting:
Working via the Video Display console is difficult. We recommend enabling SSH in the rescue environment:

# Allow SSH access from your IP
iptables -I INPUT -s <your-ip-address>/32 -p tcp --dport 22 -j ACCEPT

# Set a temporary root password
passwd root

You can now connect to your VPS via SSH (using your VPS IP) to perform the rest of the steps.

Step 2: Shrink the Root Partition

We need to create space for a separate, unencrypted /boot partition (since the bootloader needs to read the kernel before unlocking the disk).

1. Check and repair the filesystem:

e2fsck -f /dev/vda1

2. Shrink the filesystem. In this example, we reduce it to create about 1GB of free space at the end. (Adjust sizes based on your total disk space).

# Shrink filesystem to 95GB (assuming a 100GB disk)
resize2fs /dev/vda1 95G

3. Shrink the partition to match (leaving space for the new boot partition):

parted /dev/vda resizepart 1 104G

Note: Ensure you leave enough space after the partition for the new /boot partition.

Step 3: Create the /boot Partition

1. Open the partition manager:

fdisk /dev/vda

• Type n (new partition).
• Type p (primary).
• Press Enter to accept defaults (using the remaining space).
• Type w to write changes to disk.

2. Format and label the new partition:

mkfs.ext4 -L BOOT /dev/vda2

3. Copy boot files to the new partition:

# Mount partitions
mkdir -p /mnt/root /mnt/boot
mount /dev/vda1 /mnt/root
mount /dev/vda2 /mnt/boot

# Sync data
rsync -avh /mnt/root/boot/ /mnt/boot/

4. Update fstab to mount the new boot partition:

vim /mnt/root/etc/fstab

Add the following line:

LABEL=BOOT /boot ext4 defaults 0 2

5. Reinstall GRUB to the new location:

mount --bind /dev /mnt/root/dev
mount --bind /proc /mnt/root/proc
mount --bind /sys /mnt/root/sys
chroot /mnt/root

update-grub
grub-install /dev/vda
exit

# Unmount and prepare for next step
umount -R /mnt

Reboot the VPS normally to verify it boots with the separate partition before proceeding to encryption.

Step 4: Encrypting the Root Partition

Pre-requisite: Configure GRUB for encryption support.

1. Boot into your VPS (normal OS).
2. Edit /etc/default/grub:

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/vda1:luks-vgroot"
GRUB_PRELOAD_MODULES="luks cryptodisk lvm"

2. Install required packages and update GRUB:

apt install -y cryptsetup-initramfs lvm2
update-grub
grub-install /dev/vda

3. Reboot back into Rescue Mode (repeat Step 1 to enable SSH).

4. Encrypt the partition in-place (This is the critical moment):

# Ensure filesystem is minimal size
e2fsck -f /dev/vda1
resize2fs /dev/vda1 95G

# Encrypt (You will be asked to set a passphrase)
cryptsetup reencrypt --encrypt --reduce-device-size 16M /dev/vda1

5. Open the encrypted volume and expand the filesystem:

cryptsetup open /dev/vda1 recrypt
# Check and expand
e2fsck -f /dev/mapper/recrypt
resize2fs /dev/mapper/recrypt

6. Final Configuration (Chroot):

# Mount everything
mount /dev/mapper/recrypt /mnt
mount /dev/vda2 /mnt/boot
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys

# Get UUID of the encrypted partition (vda1)
blkid /dev/vda1

7. Update /etc/crypttab inside the chroot:

chroot /mnt
vim /etc/crypttab

Add the line (replace UUID with the one found via blkid):

recrypt UUID=<YOUR-UUID-HERE> none luks

8. Update initramfs and GRUB one last time:

update-initramfs -u
update-grub
exit

9. Reboot:

umount -R /mnt
reboot