Security Azure

CyberChef on Ubuntu 24.04 on Azure User Guide

| Product: CyberChef on Ubuntu 24.04 LTS on Azure

Overview

This image runs CyberChef 11.2.0, the open source "Cyber Swiss Army Knife" originally created by GCHQ, on Ubuntu 24.04 LTS. CyberChef is a web app for carrying out a huge range of cyber operations - encoding and decoding formats such as Base64, URL and hex, compression, computing hashes and checksums, symmetric encryption and decryption, character-encoding conversions, parsing of common network and file formats, regular-expression extraction and hundreds more - chained together in a drag-and-drop pipeline that shows input and output side by side.

CyberChef is purely client-side: every operation runs in the visitor's own browser using JavaScript, and no data is ever sent to a server. That makes it a low-risk way to handle sensitive material, and it means the appliance itself is refreshingly simple - there is no database, no authentication and no server-side backend. cloudimg serves the official pre-built release as static files behind nginx on port 80.

What is included:

  • CyberChef 11.2.0, the official pre-built release bundle, pinned by sha256 and served as static files from /var/www/cyberchef
  • nginx on port 80 serving the single-page app (index plus the assets/, images/ and modules/ directories)
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • nginx.service and a one-shot cyberchef-firstboot.service as systemd units, enabled and active
  • A per-VM info note at /root/cyberchef-info.txt written on first boot, recording the access URL (there is no login to record - CyberChef needs none)
  • A fully patched Ubuntu 24.04 LTS base with unattended security upgrades enabled
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is more than enough - CyberChef does all its work in the browser, so the server only serves static files. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web interface. CyberChef serves plain HTTP on port 80; for production or shared access, terminate TLS in front of it with your own domain using a reverse proxy or Azure Application Gateway.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for CyberChef by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name cyberchef \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name cyberchef --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

CyberChef is served by nginx on port 80. A one-shot cyberchef-firstboot.service runs once on first boot to record the access URL. Confirm both units are active and nginx is listening on port 80:

systemctl is-active nginx cyberchef-firstboot
sudo ss -tlnp | grep ':80 '

Expected output:

active
active
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=...))
LISTEN 0      511             [::]:80           [::]:*    users:(("nginx",pid=...))

nginx and cyberchef-firstboot both active, with nginx listening on port 80

Step 5 - Confirm the app is served

nginx serves an unauthenticated /healthz endpoint for load balancer probes, and the CyberChef single-page app at /. Confirm the health endpoint returns 200, the served page is CyberChef, and the JavaScript bundle loads:

curl -sI http://127.0.0.1/healthz | head -1
curl -s http://127.0.0.1/ | grep -o '<title>[^<]*</title>'
curl -s -o /dev/null -w 'assets/main.js -> HTTP %{http_code}\n' http://127.0.0.1/assets/main.js

Expected output:

HTTP/1.1 200 OK
<title>CyberChef</title>
assets/main.js -> HTTP 200

The healthz endpoint returning 200, the CyberChef page title, and the JavaScript bundle returning 200

Step 6 - Inspect the static bundle on disk

The whole appliance is the official CyberChef release extracted into a single docroot. The entry HTML is published as index.html, alongside the assets/, images/ and modules/ directories:

ls -1 /var/www/cyberchef | head -12
du -sh /var/www/cyberchef

Expected output:

ChefWorker.js.LICENSE.txt
CyberChef_v11.2.0.html
...
assets
images
index.html
modules
72M /var/www/cyberchef

The CyberChef static bundle in the nginx docroot, showing index.html plus the assets, images and modules directories

Step 7 - Read the per-VM access note

CyberChef has no login of any kind, so there is no password to retrieve. On the first boot of every VM, cyberchef-firstboot.service resolves the VM's address and writes a short access note to a root-only file so you always know where to point your browser:

sudo cat /root/cyberchef-info.txt

Expected output:

# CyberChef appliance by cloudimg - access information
#
# CyberChef is 'The Cyber Swiss Army Knife': a purely client-side web app. There is no
# login, no account and no server-side data - every operation runs in your own browser.
# Open the URL below in a web browser to start using it.
cyberchef_url=http://<vm-ip>/

The note records the VM's own address for convenience; when reaching CyberChef from your workstation, use the VM's public IP or DNS name.

The per-VM CyberChef access note, recording the URL and confirming no login is required

Step 8 - Open CyberChef and decode Base64

Browse to http://<vm-public-ip>/. CyberChef opens with four panes: the Operations list on the left, the Recipe you are building, the Input you want to transform, and the computed Output. To try it, drag From Base64 from the Operations list into the Recipe, paste a Base64 string such as Q3liZXJDaGVmIG9uIFVidW50dSAyNC4wNCBieSBjbG91ZGltZw== into Input, and the decoded text appears immediately in Output (auto-bake is on by default).

The CyberChef interface decoding a Base64 string with From Base64, showing the decoded text in the Output pane

Step 9 - Encode data with To Base64

Recipes work the other way round too. Add To Base64 to the Recipe, type any plain text into Input, and CyberChef encodes it to Base64 in the Output pane. You can chain operations - for example decode from one format and re-encode into another - by stacking them in the Recipe.

The CyberChef interface encoding plain text to Base64 with the To Base64 operation

Step 10 - Convert data to hex

Add the To Hex operation to view any input as a space-delimited hex dump - handy for inspecting bytes, control characters or binary data. Change the delimiter and bytes-per-line options in the operation to match the format you need.

The CyberChef interface converting text to a space-delimited hex representation with the To Hex operation

Step 11 - Compute a SHA2-256 hash

CyberChef includes a full set of hashing and checksum operations. Add SHA2 (with size 256), type or paste your input, and the digest is computed in the browser and shown in Output - no data leaves your machine. The same pattern works for MD5, SHA1, SHA3, CRC checksums and HMAC.

The CyberChef interface computing a SHA2-256 digest of an input string, shown in the Output pane

Maintenance

  • Nothing to back up: CyberChef stores no data - every operation runs in the browser and nothing is persisted on the server. The appliance is entirely stateless.
  • Updating CyberChef: the release is pinned by sha256 for reproducibility. To move to a newer release, download the official release bundle from the CyberChef releases page, extract it into /var/www/cyberchef, and publish its entry HTML as index.html.
  • Security updates: unattended security upgrades are enabled, so the OS keeps itself patched. Reboot when a new kernel is installed.
  • TLS and access control: for shared or production use, front CyberChef with your own domain and a TLS-terminating reverse proxy or Azure Application Gateway, and restrict port 80 in the NSG to the networks that need it.

Support

cloudimg provides 24/7/365 expert technical support for this image. Contact support@cloudimg.co.uk. CyberChef is Crown Copyright and licensed under the Apache License 2.0. This image is provided by cloudimg and is not affiliated with or endorsed by GCHQ; additional charges apply for build, maintenance and 24/7 support.