Encrypted OS on Kimsufi

wankel

Hi all,

I was lucky enough to get a Kimsufi transfered to me last BFCM-weekend.

Their system doesn't, howewer, allow for encrypted OS installations out of the box. Resources on getting that done seem sparse, I found a single blog entry from 10+ years ago, and a 5+ years old script automating said blog entry.

If it works, it works, but I can't imagine so few people have encryption requirements that there are not a few more hints in that direction.

Any experiences here on the forum?

remy

Just use IPMI and install from ISO ?
Except if you don’t have it. Quite rare but that’s the case on some old hardware

wankel

Hi remy,

Thanks for your hint and quick reply!

I had checked KVM and IPMI, but being not the largest fan of Java applets I used the HTML option for KVM. I didn't see the option to load an ISO, and found online that their KVM implementation does not open all IPMI features and thought that was that.

Your suggestion had me revisit that, and read their documentation on IPMI.

It turns out their Java applet does allow loading ISO if their HTTP client does not :-)

Thanks!

somik

It's quite easy. So what you do is just delete your /boot directory and thæn reboot your server, and your OS will be "encrypted"

backtogeek

@wankel said:
Hi remy,

Thanks for your hint and quick reply!

I had checked KVM and IPMI, but being not the largest fan of Java applets I used the HTML option for KVM. I didn't see the option to load an ISO, and found online that their KVM implementation does not open all IPMI features and thought that was that.

Your suggestion had me revisit that, and read their documentation on IPMI.

It turns out their Java applet does allow loading ISO if their HTTP client does not :-)

Thanks!

1. Make the server boot to iPXE (Option in OVH Panel)
2. use HTML5 console
3. when in ipxe shell, type:

dhcp
chain --autofree https://boot.netboot.xyz

Do your install

similar (but this is on a vps) to this:

wankel

Aaghrhh... I always get fed up with 'write once broken everywhere' Java.

I found OpenWebStart to run those 20-th century .jnlp's , but it gives me the finger.

[ITW-CORE][2025-12-07 14:58:47.465 CET][INFO ][com.openwebstart.launcher.OwsJvmLauncher] About to launch process with command:
/home/wankel/.cache/icedtea-web/jvm-cache/azul_21.0.9_x64/bin/java -Xbootclasspath/a:/opt/OpenWebStart/openwebstart.jar -Dicedtea-web.bin.location=/opt/OpenWebStart/javaws -Xms128M -Xmx128M -XX:PermSize=32M -XX:MaxPermSize=32M -Djnlp.versionEnabled=true -Djnlp.packEnabled=true --add-reads=java.base=ALL-UNNAMED,java.desktop --add-reads=java.desktop=ALL-UNNAMED,java.naming --add-reads=java.naming=ALL-UNNAMED,java.desktop --add-exports=java.desktop/sun.awt=ALL-UNNAMED,java.desktop --add-exports=java.desktop/javax.jnlp=ALL-UNNAMED,java.desktop --add-exports=java.base/com.sun.net.ssl.internal.ssl=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.security.action=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.security.provider=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.security.util=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.security.validator=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.security.x509=ALL-UNNAMED,java.desktop --add-exports=java.base/jdk.internal.util.jar=ALL-UNNAMED,java.desktop --add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED,java.desktop --add-exports=java.desktop/sun.awt.X11=ALL-UNNAMED,java.desktop --add-exports=java.desktop/sun.applet=ALL-UNNAMED,java.desktop,jdk.jsobject --add-exports=java.naming/com.sun.jndi.toolkit.url=ALL-UNNAMED,java.desktop -Djava.security.manager=allow net.sourceforge.jnlp.runtime.Boot -Xnofork kimpsufi ns520218-ip-158-69-55-net_.jnlp
Unrecognized VM option 'PermSize=32M'
Error: Could not create the Java Virtual Machine.

I tried running without this VM option, and without VM options at all... no go.

Does anyone know alternatives for running JNLP on a Debian desktop from this millenium?

wankel

No way...!

I only had to

• remove the gifted up-to-date Java VM (21.x)
• disable downloading up-to-date Java VMs (again 21.x)
• disable the system Java VM version (17.x)
• leave the configuration with the oldest Java VM I could find (11.x)

Now I'm looking at the console of my Kimsufi :-)

Thanks for suffering with me!

Amadex

@somik said:
It's quite easy. So what you do is just delete your /boot directory and thæn reboot your server, and your OS will be "encrypted"

Thanks, our servers are secure now.

wankel

Hi Ant,

Thanks! I hadn't refreshed the thread while cursing at Java so missed your comment.

@backtogeek said:

Make the server boot to iPXE (Option in OVH Panel)

That's a coincidence! Earlier today I was tidying my browser tabs, and came across netboot.xyz in a read-it-later corner of a browser window. Nice to find an application for it now, I'll give it a try right away!

terrorgen

@wankel said:
Hi Ant,

Thanks! I hadn't refreshed the thread while cursing at Java so missed your comment.

@backtogeek said:

Make the server boot to iPXE (Option in OVH Panel)

That's a coincidence! Earlier today I was tidying my browser tabs, and came across netboot.xyz in a read-it-later corner of a browser window. Nice to find an application for it now, I'll give it a try right away!

Netboot.xyz is a godsend for situations like this!

backtogeek

@terrorgen said: Netboot.xyz is a godsend for situations like this!

yep, when i get time i would like to fork it and have a TierHive specific version from local mirrors instead of git backed.