Home / Servers / Encrypted VPS

Encrypted VPS.
Your passphrase, your data.

Real LUKS2 full disk encryption on hardware we own. Not a marketing checkbox. Your root partition is encrypted with a passphrase only you know. We can't read your data even if we wanted to.

How it works

1.
Order a Debian 12 server in Montreal and select "Disk Encryption" during OS selection.
2.
SSH into Dropbear when prompted. The server boots into a minimal initramfs environment.
3.
Set your LUKS passphrase. The root partition encrypts in-place with LUKS2 + argon2id. Takes about a minute.
4.
Done. On every boot, SSH in and enter your passphrase to unlock. That's it.

What makes this different from everyone else

Real encryption, not theater

Most providers that claim "encryption" just encrypt the underlying storage array. That protects against physical theft of drives, not against the provider reading your data. Our encryption happens inside your VM. The passphrase never leaves your terminal. We literally cannot decrypt your disk.

Enable or disable anytime

Encryption isn't a one-way street. You can enable it from your dashboard on any running Debian 12 server, and disable it later if you change your mind. The process is fully automated and takes about a minute each way.

Owned hardware

This runs on servers Servury physically owns in a Montreal colocation facility. No third-party provider sits between your encrypted disk and the bare metal. The entire stack is ours.

LUKS2 + argon2id

We use LUKS2 with the argon2id key derivation function (the same one used by modern password managers). The in-place encryption preserves your existing data.

Technical details

For the curious.

Partition layout
sda1 = BIOS boot (1MB), sda2 = /boot ext4 (512MB, always unencrypted), sda3 = root ext4 (encrypted with LUKS2)
Encryption method
LUKS2 in-place reencrypt with argon2id KDF. cryptsetup reencrypt --encrypt --reduce-device-size 32M
Boot unlock
Dropbear SSH in initramfs. Server boots, waits at Dropbear, you SSH in and enter passphrase, server continues boot.
Key storage
LUKS header on sda3. Passphrase is never transmitted to or stored by Servury. It exists only in your terminal during unlock.
Disable flow
One click in dashboard. Server reboots into initramfs, decrypts in-place, removes crypttab, rebuilds GRUB. Data preserved.
Compatible OS
Debian 12 only (custom template with pre-installed encryption tooling). Other OSes on this hardware do not support FDE.

Frequently asked questions

Can Servury read my encrypted data?

No. The LUKS passphrase is set by you inside a Dropbear SSH session. We never see it, store it, or transmit it. Without the passphrase, the disk contents are indistinguishable from random noise.

What happens if I forget my passphrase?

Your data is gone. There is no recovery mechanism, no backdoor, no master key. This is by design. If you lose the passphrase, you can reinstall the OS but your encrypted data is unrecoverable.

Does encryption affect performance?

Minimal impact. LUKS2 with AES-XTS runs at near-native speeds on modern CPUs with AES-NI hardware acceleration, which all our processors support.

Can I enable encryption on an existing server?

Yes. Any running Debian 12 server in Montreal can have encryption enabled from the Administration tab. Your existing data is preserved during the in-place encryption process.

Is this available in other locations?

Currently Montreal only, because it requires our owned hardware with a custom Debian 12 template. Other locations use third-party infrastructure where we can't customize the boot process.