LUKS Encrypted Secondary Volume on an Anubiz VPS
Anubiz cloud-image root is not encrypted by default because dropbear unlock over the network is unreliable at scale. The right pattern is: keep root unencrypted (faster boot, easier ops), encrypt a SECONDARY data volume with LUKS where you store sensitive data. This guide attaches a secondary disk on Anubiz Romania III or larger, sets up LUKS2, and auto-unlocks on boot from a key file on the encrypted root (or external KMS).
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Add Secondary Disk
From the panel, attach a new volume (Anubiz Premium tiers allow this). Boots as /dev/vdb.
Step 2: Format with LUKS2
cryptsetup luksFormat --type luks2 /dev/vdb. Strong passphrase. cryptsetup luksOpen /dev/vdb data. mkfs.ext4 /dev/mapper/data.
Step 3: Keyfile or Passphrase
For attended boot use passphrase via dropbear (advanced). For unattended, store a keyfile on root (/etc/luks/data.key, mode 0400). Add to LUKS: cryptsetup luksAddKey /dev/vdb /etc/luks/data.key. This is honest threat model - protects against disk theft and provider-side imaging, not against a live attacker with root on the VPS.
Step 4: crypttab and fstab
/etc/crypttab: data /dev/vdb /etc/luks/data.key luks. /etc/fstab: /dev/mapper/data /srv/data ext4 defaults 0 2.
Step 5: Performance
AES-NI on Anubiz nodes - check with cryptsetup benchmark. Use aes-xts-plain64. Negligible CPU overhead for typical I/O.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.