Hello!
I’ve spent a lot of time struggling with Hetzner’s KVM console, there are a lot of problems causing severe issues with setting up passwords and passphrases. I just thought I’d create this “guide” to get things rolling, for everyone who faces the same issues I’ve faced.
Step 1 - Firewall
Set up a firewall and only open port 22 with your IP (you can look it up using ip.me).
Step 2 - Installation
Perform the installation procedure as normal, setting very simple passwords and passphrases for the user accounts and the disk encryption. Set them to something like 123. These will be changed later!
I’m using Debian 13, the steps may or may not be the same for your choice of distribution.
Step 3 - SSH access
Unmount the ISO and reboot. Enter the console again, log in as root with your simple password. Now, if you have the same problem as me, keys like /, CTRL etc. won’t work, so I used tab completion and vi to to modify the config file.
# cd ../etc/ssh/
# vi sshd<TAB>
Inside vi, press o to create a new line and enter insert mode. Add:
PermitRootLogin yes
PasswordAuthentication yes
Press ESC and then <SHIFT>-yy (so holding shift and pressing y twice). This will save the file and exit vi. Restart the SSH services:
# systemctl restart ssh sshd
Step 4 - Dropbear
ssh into your VPS. Now you have full keyboard access like usual. Install dropbear-initramfs, which is an SSH server that’s placed in the initial RAM filesystem so that you can ssh into your VPS during start up so you can easily enter your encryption passphrase.
Generate a new key pair and add the public key to /etc/dropbear/initramfs/authorized_keys
Run update-initramfs -u and reboot. You should now be able to ssh into your VPS using the key you just generated. The following command lets you unlock the encrypted disk:
cryptroot-unlock
This will probably disconnect you from the tunnel, simply re-establish the SSH tunnel again.
Step 5 - Changing passwords and passphrases
To change the encryption passphrase:
# cryptsetup luksAddKey /dev/sdXY
# cryptsetup luksRemoveKey
Lock the root user and change the password of your user (don’t forget to add the user to the sudo group!):
# passwd -l root
# passwd user
Done!
At this point you might want to use some other means to access the server, such as Netbird or Tailscale or Wireguard. Regardless of how you decide to access the server, you should revert the changes to sshd_config.
P.S.
I have no idea if this is a secure or good way to do this. Use at your own risk!
I’ve had a similar issue with / and some special keys. Numpad solved the / problem, using the system through SSH allows properly using your keyboard, and I’d imagine keybinds such as Gaomon’s or AntimicroX’s could be used too.