cryptpilot-enhance — Harden virtual machine disk images before encryption
cryptpilot-enhance --mode MODE --image IMAGE_PATH [--ssh-key PUBKEY_FILE]cryptpilot-enhance performs security hardening on offline VM disk images (e.g., QCOW2) using virt-customize. All operations are executed in a single guest session to minimize startup overhead, making it suitable for use in secure build pipelines and pre-encryption workflows.
The script applies system-level configurations including removal of cloud agents, service deactivation, user account cleanup, SSH hardening, and sensitive data erasure—without booting the target operating system.
--mode MODE
Set hardening level. Supported values:
- full: Maximum security. Removes SSH server and enforces strict access controls.
- partial: Retains SSH with public key authentication only; allows remote administration under hardened conditions.
--image IMAGE_PATH
Path to the disk image file (QCOW2 or RAW format). The file must exist and be readable.
--ssh-key PUBKEY_FILE
(Optional) Path to an OpenSSH public key file. Used in partial mode to inject the key into root's ~/.ssh/authorized_keys.
--help
Display usage information and exit.
- Uninstall Alibaba Cloud Assistant:
- Stop and remove
aliyun.serviceandassist_daemon - Remove associated binaries and configuration files
- Stop and remove
- Uninstall Aegis (Cloud Security Center):
- Download and execute official uninstall script
- Disable
rpcbind:- Stop, disable, and mask
rpcbind.serviceandrpcbind.socket
- Stop, disable, and mask
- Remove
cloud-init:- Execute
yum remove -y cloud-init
- Execute
- User account cleanup:
- Lock passwords for
rootandadminby setting!!in/etc/shadow - Delete all non-exempt user accounts with interactive shells and active passwords
- Clean up home directories ending in
.DEL
- Lock passwords for
- Clear shell history:
- Execute
history -c && history -wto erase command history
- Execute
Mode: full
- Remove SSH server:
yum remove -y openssh-server
Mode: partial
- Secure SSH configuration:
PasswordAuthentication noPubkeyAuthentication yesPermitRootLogin prohibit-passwordX11Forwarding noAllowTcpForwarding no
- Inject public key into
root'sauthorized_keysif provided
Apply full hardening to an image:
./cryptpilot-enhance \
--mode full \
--image ./server-disk.qcow2Apply partial hardening with SSH key injection:
./cryptpilot-enhance \
--mode partial \
--image ./server-disk.qcow2 \
--ssh-key ~/.ssh/id_rsa.publibguestfs-toolspackage installedvirt-customizeavailable in$PATH- Sufficient privileges to access and modify disk image files
Tested on CentOS/RHEL 7/8/9 systems. May require adaptation for other distributions.
CRYPTPILOT_ENHANCE_VIRT_CUSTOMIZE_OPTS
Append extra options to the virt-customize command. The value is word-split and appended after the base arguments (--format, -a), before the hardening operations. Useful for tuning guest memory, CPU, or other backend parameters without modifying the script.
Example — increase guest memory to 4 GiB and use 4 vCPUs:
```bash
CRYPTPILOT_ENHANCE_VIRT_CUSTOMIZE_OPTS="--memsize 4096 --smp 4" \
./cryptpilot-enhance --mode partial --image ./server-disk.qcow2
```
LIBGUESTFS_BACKEND
Controls the libguestfs backend. By default, virt-customize uses the libvirt backend which requires a running libvirtd daemon. If you encounter an error like:
```
libvirt: XML-RPC error : Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory
virt-customize: error: libguestfs error: could not connect to libvirt (URI = qemu:///system): Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory
```
Set it to `direct` to use QEMU directly without libvirtd (recommended for CI/containers):
```bash
LIBGUESTFS_BACKEND=direct ./cryptpilot-enhance --mode partial --image ./server-disk.qcow2
```
- This script modifies the disk image permanently.
- Always test on a copy of the original image.
- After hardening, recovery options may be limited; ensure alternative access methods are in place when needed.
virt-customize(1)libguestfs-tools(1)
Apache License. See LICENSE file for details.