Main | Debian Encrypted Debootstrap
The Debian installer is nice but it seems to be missing options for certain LUKS encryption
schemes 512-bit key sizes, so I decided to try to install Debian manually via 'debootstrap'
after preparing the disk.
# I usually boot some version of Knoppix to do all this work.
# First make a partition for encryption use via fdisk
fdisk /dev/sda # for example, add an sda2 /boot and sda3 / partitions via the 'n' command
# Format the /dev/sda2 boot partition with ext4
mkfs.ext4 -c -L boot -m 0 /dev/sda2
# then install haveged to make more entropy available
aptitude install haveged
# then encrypt the partition. Many ciphers are available,
# check for them via /proc/crypto
cryptsetup -v --use-random --verify-passphrase --cipher aes-xts-benbi --key-size=512
--hash=sha512 --iter-time=10000 luksFormat /dev/sda3
# make available the decrypted partition
cryptsetup luksOpen /dev/sda3 sda3_decrypt
# fill the decrypted partition with pseudo-random data
# NOTE: this will take SEVERAL HOURS to do: 120GB on an old P4 took 10 hours. dd_rescue -v /dev/urandom /dev/mapper/sda3_decrypt
# prepare disk or partition for LVM use
pvcreate /dev/mapper/sda3_decrypt
# create LVM volume group
vgcreate mainvolume /dev/mapper/sda3_decrypt
# create LVM logical volume groups
lvcreate -L 30G -n rootLV mainvolume
lvcreate -L 3G -n swapLV mainvolume
lvcreate -L 60G -n homeLV mainvolume
# format logical volume partitions
mkfs.ext4 -c -L rootLV /dev/mapper/mainvolume-rootLV
mkswap -c -L spapLV-1 /dev/mapper/mainvolume-swapLV
mkfs.ext4 -c -m 0 -L homeLV /dev/mapper/mainvolume-homeLV
# mount filesystems to prepare for installation
mkdir /target
mkdir /target/boot
mkdir /target/home
mount /dev/mapper/mainvolume-rootLV /target
mount /dev/sda2 /target/boot
@@mount /dev/mapper/mainvolume-homeLV /target/home
swapon /dev/mapper/mainvolume-swapLV
# installinnnnggg!!
debootstrap --arch=i386 wheezy /target
http://ftp.us.debian.org/debian
# bind mount a few directories and chroot into the new system to do some setup
mount -o bind /dev /target/dev
mount -o bind /dev/pts /target/dev/pts
mount -o bind /sys /target/sys
mount -o bind /proc /target/proc
# chroot into newly installed system
chroot /target
# the new system complains about the LOCALE not being set; prepare the fix for it,
# but this has to wait until the locales-all package is installed.
nano /etc/default/locale
# fill in file with:
LANG="en_US.UTF-8" LANGUAGE="" LC_MESSAGES="en_US.UTF-8" COUNTRY="US"
# update sources.list, install locales
nano /etc/apt/sources.list
# update file to contain:
# standard Debian Wheezy repositories deb http://ftp.us.debian.org/debian/ wheezy main deb http://ftp.us.debian.org/debian/ wheezy-updates main deb http://security.debian.org/ wheezy/updates main
# update repository lists, install locales, update locale
aptitude update
aptitude install locales-all
update-locale
# use aptitude to install a linux-image and grub2
aptitude install linux-image grub2
# run blkid to discover the UUID identifiers for the filesystems to mount
blkid
# use this for info manual entries in /etc/fstab and /etc/crypttab
# then run update-initramfs again:
update-initramfs -k all -u
References:
Important to read for later (unrelated):
March 07, 2015, at 04:05 PM