Install Debian 13 with full hard disk encryption on a Hetzner dedicated server

I purchased a new dedicated server from Hetzner’s server auction, which I use to host some of my applications and other self-hosted applications. By default, I want to encrypt the data on all my servers, regardless of whether they are running at home in my homelab or, as in this case, at Hetzner.

The installimage script in the Hetzner Rescue System offers an easy way to install various Linux distributions and can be configured to install Debian 13 with full disk encryption.

Prerequisites

• Dedicated Server from Hetzner
• Server booted into the Rescue System
• ED25519 SSH public key
• No private networks attached on Hetzner Cloud

1. Copy your SSH public key #

You need an SSH key to remotely unlock the hard drive during the boot process. You will also use this key later to log in to the booted system.

You must save the public key of your SSH key pair to /tmp/authorized_keys on the server. The server should already be in the rescue system. Either create the file directly on the server or copy the public key using scp:

scp ~/.ssh/id_ed25519.pub root@<your-host>:/tmp/authorized_keys

2. Create installimage config file #

3. Create a new configuration file /tmp/setup.conf and add the following content:

CRYPTPASSWORD secret
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME host.example.com
PART /boot/efi esp 256M
PART /boot ext4 1G
PART /     ext4 all crypt
IMAGE /root/images/Debian-trixie-latest-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys

This configuration installs Debian on two encrypted drives (/dev/sda and /dev/sdb) configured as RAID 1, with a separate unencrypted /boot required for remote unlocking.

3. Create post-install script #

To remotely unlock the encrypted partition, we need to install the Dropbear SSH server and add it to the initramfs stored on the unencrypted /boot partition. This also adds dhclient for network configuration, but without any additional features.

Create the file /tmp/post-install.sh with the following content:

#!/bin/bash

# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

# Copy SSH keys for dropbear and change the port
cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/
sed -ie 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"/' /etc/dropbear/initramfs/dropbear.conf
dpkg-reconfigure dropbear-initramfs
update-initramfs -u

Important: Make the post-install script executable

chmod +x /tmp/post-install.sh

4. Start the installation #

Now you can start the installation with the following command:

installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Wait until the installation completes and check the debug.txt` for any errors.

5. Boot installed system #

You can restart the server with the reboot command and boot the newly installed system.

Log in to the Dropbear SSH port 2222 and run cryptroot-unlock to unlock the encrypted partition(s). When connecting to Dropbear, make sure to use the private SSH key that corresponds to the public key stored in /tmp/authorized_keys from the steps before.

$ ssh -p 2222 root@<your-host>

BusyBox v1.30.1 (Debian 1:1.37.0-6) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cryptroot-unlock
Please unlock disk luks-...:

Enter the password you previously set for CRYPTPASSWORD in /tmp/setup.conf. If the password is correct, the startup process will continue and you will be automatically disconnected from the temporary SSH session to dropbear.

After a few seconds, you can connect to the server via the standard SSH port 22:

ssh -p 22 root@<your-host>