I am planning to experiment a bit with Qualys Container Security and Docker on the Hetzner ARM64 CAX servers this weekend. Given the current electricity prices, it is probably not really necessary to have a Proxmox server at home.. 

The new Ampere® ARM64 servers from Hetzner are relatively affordable and therefore offer a good alternative. Especially now, with Intel and AMD facing CPU bugs again, this is an even better idea. I really like Debian 12 at the moment, so I would like to use an encrypted Debian on it.

Hetzner offers a preferred way to install an encrypted system. You can find a corresponding guide at the following link. However, please note that you will have to forgo the private networks when following this method. For me personally, this is acceptable for now.

In the guide, you will also need to make an adjustment at the point "/tmp/setup.conf" and insert the line.

PART /boot/efi esp 256M 

Afterwards, you can unlock the cloud server via SSH using Dropbear:

ssh -o StrictHostKeyChecking=no root@your_hetzner_ip
25 july 2023, 18:37

In recent news, Hetzner Cloud is now offering ARM64 cloud servers in their Falkenstein data center, which prove to be much more cost-effective than their AMD64 counterparts. However, OpenBSD could not be installed on these servers for some time due to a lack of VirtIO GPU support, which is required for the Hetzner console. Fortunately, developer Joshua Stein has made it possible to install OpenBSD current and future versions on these servers.

Bear in mind that only *.iso files can be bound to Hetzner cloud servers, while OpenBSD only provides a *.img image (intended for USB sticks) that is not bootable on these servers. Nevertheless, there is a way around that. To get around this obstacle, first boot the vServer into Hetzner's rescue system and select Linux 64-bit; then, log into the rescue system via SSH and download the installXX.img with wget. Use the following command to copy the file to the virtual sda: dd if=installXX.img of=/dev/sda bs=1M . Then, restart the server, proceed to the Hetzner Cloud Console in your browser, and start the cloud server console. On the console, install OpenBSD where you only need to provide a password and user where full disk encryption is also available. Use sd0, the whole disk, as the installation destination. Finally, reboot the server, and if disk encryption was selected, enter the password upon restarting the console. After that, SSH to the server to configure OpenBSD as you see fit. If desired, set up the Hetzner firewall in the Hetzner Cloud.

While this installation process might seem tricky, it's entirely achievable, and a cost-effective, encrypted OpenBSD server can be obtained thanks to this method. One thing to note is that when it comes to the network configuration, binding IPv6 to Hetzner servers can be a bit daunting. A recommended way to do this would be via the /etc/hostname.vio0 file with the following configuration:

inet autoconf
inet6 autoconf
!route add -inet6 default fe80::1%vio0
inet6 alias your_hetzner_ipv6_block::1