Main | Debian Encrypted Debootstrap   


Installing Debian manually with LUKS+LVM

The Debian installer is nice but it seems to be missing options for certain LUKS encryption schemes 512-bit key sizes, so I decided to try to install Debian manually via 'debootstrap' after preparing the disk.

Boot a LiveCD

# I usually boot some version of Knoppix to do all this work.

Preparing disk for installation

# First make a partition for encryption use via fdisk
fdisk /dev/sda # for example, add an sda2 /boot and sda3 / partitions via the 'n' command

# Format the /dev/sda2 boot partition with ext4
mkfs.ext4 -c -L boot -m 0 /dev/sda2

# then install haveged to make more entropy available
aptitude install haveged

# then encrypt the partition. Many ciphers are available,
# check for them via /proc/crypto
cryptsetup -v --use-random --verify-passphrase --cipher aes-xts-benbi --key-size=512
   --hash=sha512 --iter-time=10000 luksFormat /dev/sda3

# make available the decrypted partition
cryptsetup luksOpen /dev/sda3 sda3_decrypt

# fill the decrypted partition with pseudo-random data
# NOTE: this will take SEVERAL HOURS to do: 120GB on an old P4 took 10 hours.
dd_rescue -v /dev/urandom /dev/mapper/sda3_decrypt

# prepare disk or partition for LVM use
pvcreate /dev/mapper/sda3_decrypt

# create LVM volume group
vgcreate mainvolume /dev/mapper/sda3_decrypt

# create LVM logical volume groups
lvcreate -L 30G -n rootLV mainvolume
lvcreate -L 3G  -n swapLV mainvolume
lvcreate -L 60G -n homeLV mainvolume

# format logical volume partitions
mkfs.ext4 -c -L rootLV /dev/mapper/mainvolume-rootLV
mkswap -c -L spapLV-1 /dev/mapper/mainvolume-swapLV
mkfs.ext4 -c -m 0 -L homeLV /dev/mapper/mainvolume-homeLV

Debian installation with debootstrap

# mount filesystems to prepare for installation
mkdir /target
mkdir /target/boot
mkdir /target/home
mount /dev/mapper/mainvolume-rootLV /target
mount /dev/sda2 /target/boot
@@mount /dev/mapper/mainvolume-homeLV /target/home swapon /dev/mapper/mainvolume-swapLV

# installinnnnggg!!
debootstrap --arch=i386 wheezy /target http://ftp.us.debian.org/debian

# bind mount a few directories and chroot into the new system to do some setup
mount -o bind /dev /target/dev
mount -o bind /dev/pts /target/dev/pts
mount -o bind /sys /target/sys
mount -o bind /proc /target/proc

# chroot into newly installed system
chroot /target
# the new system complains about the LOCALE not being set; prepare the fix for it,
# but this has to wait until the locales-all package is installed.
nano /etc/default/locale

# fill in file with:

LANG="en_US.UTF-8"
LANGUAGE=""
LC_MESSAGES="en_US.UTF-8"
COUNTRY="US"

# update sources.list, install locales
nano /etc/apt/sources.list

# update file to contain:

# standard Debian Wheezy repositories
deb http://ftp.us.debian.org/debian/ wheezy main
deb http://ftp.us.debian.org/debian/ wheezy-updates main
deb http://security.debian.org/ wheezy/updates main

# update repository lists, install locales, update locale
aptitude update
aptitude install locales-all
update-locale

# use aptitude to install a linux-image and grub2
aptitude install linux-image grub2

# run blkid to discover the UUID identifiers for the filesystems to mount
blkid # use this for info manual entries in /etc/fstab and /etc/crypttab # then run update-initramfs again:
update-initramfs -k all -u

References:

http://www.debuntu.org/how-to-encrypted-partitions-over-lvm-with-luks-page-3-install-and-config/
http://www.snip2code.com/Snippet/89994/Install-LMDE-%28Linux-Mint-Debian-Edition%29/
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_Entire_System#LVM_on_LUKS
http://www.2dd.it/articoli/operating_system/linux/debian-installazione-debian-esistente-luks-lvm/
http://serverfault.com/questions/490955/where-when-does-a-debian-linux-system-change-the-console-display-mode
http://www.dhost.info/baxic/debian-on-hp-probook-4520s/encrypt.php

Important to read for later (unrelated):

http://www.stanfordlawreview.org/online/privacy-paradox/dead-past

March 07, 2015, at 04:05 PM