Overview

This guide walks through deploying Kasm Workspaces on a DigitalOcean droplet, attaching a custom domain, enabling HTTPS with Let’s Encrypt, and hardening the server for secure access.

The key problem this solves:

• You want secure, browser-based remote desktops
• You want proper TLS (no self-signed warnings)
• You don’t want to expose an insecure public service
• You need a hardened cloud deployment

The solution:

• Deploy Ubuntu droplet
• Install Kasm (Docker-based)
• Attach domain + DNS
• Enable trusted HTTPS certificates
• Apply basic production hardening

This setup is ideal for:

• Browser-based labs
• Security training platforms
• Remote development environments
• Isolated browsing environments
• CTF infrastructure

If you only need SSH access, this is overkill.

What you’ll achieve

By the end of this post, you will:

• ✅ Deploy a DigitalOcean Ubuntu droplet
• ✅ Install Kasm Workspaces
• ✅ Attach a domain (e.g. kasm.example.com)
• ✅ Enable trusted HTTPS using Let’s Encrypt
• ✅ Harden SSH and firewall rules
• ✅ Have a production-ready Kasm instance

Prerequisites

• Knowledge: Basic Linux CLI, DNS concepts
• Tools: DigitalOcean account, domain name
• Access: Root or sudo privileges
• Time: ~30–40 minutes

Environment

• OS: Ubuntu 22.04 LTS
• Cloud: DigitalOcean Droplet
• Application: Kasm Workspaces
• Container Runtime: Docker
• TLS: Let’s Encrypt
• Firewall: UFW

Option 1 — Manual Installation (Recommended for Production)

1) Create the Ubuntu Droplet

On DigitalOcean:

• Create droplet → Ubuntu 22.04 LTS
• Minimum 4GB RAM
• 8GB recommended for multiple sessions
• Add SSH key (do NOT use password login)

Connect:

ssh root@your_server_ip

2) Initial Server Hardening

Create non-root user:

adduser kasmadmin
usermod -aG sudo kasmadmin

Disable root SSH login:

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no
PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

3) Configure Firewall

sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw enable

4) Install Kasm Workspaces

Download latest version from: https://www.kasmweb.com/downloads

Example:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl

curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.0d92b5.tar.gz
tar -xf kasm_release_*.tar.gz
cd kasm_release
sudo bash install.sh

At completion, store:

• Admin username
• Admin password
• Database password

Access:

https://SERVER_IP

You will see a self-signed certificate warning.

Option 2 — Use DigitalOcean Marketplace Image (Fastest Deployment)

If you want the fastest deployment, use the Kasm Workspaces ready image in the DigitalOcean Marketplace.

1A) Deploy Marketplace Image

• Create Droplet
• Go to Marketplace
• Search Kasm Workspaces
• Select image
• Choose 4GB+ RAM
• Add SSH key
• Create Droplet

SSH:

ssh root@your_server_ip

1B) Retrieve Credentials

cat /root/kasm_install_credentials.txt

Store credentials securely.

Access:

https://YOUR_SERVER_IP

When NOT to Use the Marketplace Image

Avoid the Marketplace image if:

• You need custom install flags
• You want advanced Docker networking
• You plan to build a multi-node cluster
• You require strict CIS hardening from scratch
• You want full visibility into installation steps
• You are deploying in regulated environments
• You want version pinning control

The Marketplace image is excellent for:

• Labs
• Testing
• Quick deployments
• Demos

For production environments with compliance requirements, prefer the manual installation path.

Domain + HTTPS Configuration

5) Add DNS Record

At your DNS provider:

Type: A Name: kasm Value: YOUR_SERVER_IP

Example:

kasm.example.com → 143.198.xxx.xxx

Verify:

ping kasm.example.com

6) Install Let’s Encrypt Certificate

Kasm includes built-in certificate management.

Run:

sudo /opt/kasm/bin/kasm_https_cert.sh

Select:

• Let’s Encrypt
• Enter domain
• Provide email

The script will:

• Validate DNS
• Issue certificate
• Install automatically
• Restart services

Now visit:

https://kasm.example.com

No certificate warning.

Verification

Check services:

sudo /opt/kasm/bin/kasm_status.sh

Check containers:

sudo docker ps

All services should be running.

Additional Hardening

Restrict SSH by IP

sudo ufw allow from YOUR_HOME_IP to any port 22

Remove generic SSH rule if desired.

Enable Automatic Updates

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Install Fail2Ban

sudo apt install -y fail2ban

Create config:

sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true

Restart:

sudo systemctl restart fail2ban

Common Pitfalls

Let’s Encrypt Fails

Ensure port 80 is open temporarily:

sudo ufw allow 80/tcp

Retry certificate script.

Containers Not Starting

Check logs:

sudo docker logs kasm_web

Low memory is common cause.

Add swap if needed:

sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Security Notes

• Use SSH keys only
• Disable password authentication
• Do not expose Docker ports
• Keep only ports 22 and 443 open
• Rotate default credentials
• Consider Cloudflare proxy for extra protection

Performance Notes

• 8GB RAM recommended for multiple users
• Choose region near users
• Disk I/O significantly impacts performance
• Each active session consumes memory

Variations & Extensions

• Deploy behind Nginx reverse proxy
• Enable SSO (SAML / OIDC)
• Restrict access via VPN
• Deploy behind Cloudflare Tunnel
• Create multiple workspace profiles (Kali, VSCode, Chrome, etc.)

References

• https://www.kasmweb.com/docs/latest/
• https://docs.digitalocean.com/products/droplets/
• https://letsencrypt.org/docs/
• https://ubuntu.com/server/docs/security