Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Guide which explains an installation of Debian Stretch with full disk encryption (including "/boot" partition, containing initramfs+kernel) by using Debian Jessie Live.

Debian Stretch - Full Disk Encryption

This documents guides you through the process to install Debian Stretch with Full Disk Encryption. The following requirements exist:

  • Mainboard with UEFI-Support
  • Debian Stretch Live CD booted from UEFI
  • Two unformatted, unpartitioned HDDs/SSDs for Software RAID1 with mdmadm

After following this guide, you will end up with a setup like this:

  • Redundant GRUB Standalone EFI installation on both disks
  • Fully-encrypted "/boot" partition (LUKS on MDADM), unlockable through console or serial terminal
  • Fully-encrypted "/" LVM volume (LVM on LUKS on MDADM), unlockable through console or serial terminal or dropbear (SSH)
  • Auto-mount of "/boot" partition once entering "/" through 4096bit LUKS key (no need to enter passphrase twice)
  • Fully integrated into standardized Debian update processes (e.g.: no manual initramfs changes needed after kernel upgrades)
  • Ability to sign your GRUB EFI installation with own Secure Boot keys (not part of this guide)

Without further ado, here are all the required steps:

$ hostname <HOSTNAME>

$ export DOMAIN=<DOMAIN>

$ echo -e "127.0.0.1 $(hostname -s).$DOMAIN $(hostname -s)\n::1 $(hostname -s).$DOMAIN $(hostname -s)" > /etc/hosts

$ apt-get install gdisk cryptsetup lvm2 dosfstools debootstrap tree vim mdadm

$ gdisk /dev/sda
> o
> n, <blank>, <blank>, +512M, ef00
> n, <blank>, <blank>, +512M, fd00
> n, <blank>, <blank>, <blank>, fd00
> p
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System
   2         1050624         2099199   512.0 MiB   FD00  Linux RAID
   3         2099200        20971486   9.0 GiB     FD00  Linux RAID
> w

$ gdisk /dev/sdb
> Repeat partition configuration...

$ mdadm --create /dev/md/boot --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2

$ mdadm --create /dev/md/lvm --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3

$ mkfs.vfat -F32 /dev/sda1

$ mkfs.vfat -F32 /dev/sdb1

$ cryptsetup luksFormat /dev/md/lvm

$ cryptsetup open /dev/md/lvm crypto-lvm

$ pvcreate /dev/mapper/crypto-lvm

$ vgcreate vgc-main /dev/mapper/crypto-lvm

$ lvcreate -L5G -n lvc-root vgc-main

$ mkfs.ext4 /dev/mapper/vgc--main-lvc--root

$ mount /dev/mapper/vgc--main-lvc--root /mnt

$ cryptsetup luksFormat /dev/md/boot

$ cryptsetup open /dev/md/boot crypto-boot

$ mkfs.ext2 /dev/mapper/crypto-boot

$ mkdir /mnt/boot

$ chmod 000 /mnt/boot

$ chattr +i /mnt/boot

$ mount /dev/mapper/crypto-boot /mnt/boot

$ mkdir /mnt/boot/grub-efi-sd{a,b}

$ chmod 000 /mnt/boot/grub-efi-sd{a,b}

$ chattr +i /mnt/boot/grub-efi-sd{a,b}

$ mount /dev/sda1 /mnt/boot/grub-efi-sda

$ mount /dev/sdb1 /mnt/boot/grub-efi-sdb

$ debootstrap --arch amd64 stretch /mnt http://mirror.switch.ch/ftp/mirror/debian

$ mount -t proc none /mnt/proc

$ mount -t tmpfs none /mnt/tmp

$ mount -o bind /dev /mnt/dev

$ mount -o bind /sys /mnt/sys

$ LANG=C chroot /mnt /bin/bash

# apt-get install grub2-common grub-efi vim cryptsetup lvm2 mdadm vim tree xz-utils

# blkid /dev/md/boot
# blkid /dev/md/lvm
> Copy UUID strings

# vim /etc/lvm/lvm.conf
> Modify: use_lvmetad = 1 --> use_lvmetad = 0

# systemctl disable lvm2-lvmetad.socket lvm2-lvmetad.service

# vim /etc/default/grub
> Modify: GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 ip=<IP ADDRESS>::<IP GATEWAY>:<IP NETMASK>::<DEVICE>:off"
> Add: GRUB_ENABLE_CRYPTODISK=y
> Add: GRUB_TERMINAL="console serial"
> Add: GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

# apt-get install linux-image-amd64

# dd bs=512 count=8 if=/dev/urandom of=/etc/crypto-boot.lkey

# chmod 400 /etc/crypto-boot.lkey

# chattr +i /etc/crypto-boot.lkey

# cryptsetup luksAddKey /dev/md/boot /etc/crypto-boot.lkey

# vim /etc/crypttab
crypto-lvm UUID=<UUID of /dev/md/lvm> none luks
crypto-boot UUID=<UUID of /dev/md/boot> /etc/crypto-boot.lkey luks

# vim /etc/fstab
/dev/mapper/vgc--main-lvc--root / ext4 defaults 0 1
/dev/mapper/crypto-boot /boot ext2 defaults,noatime 0 2
UUID=<UUID of /dev/sda1> /boot/grub-efi-sda vfat defaults,noatime 0 2
UUID=<UUID of /dev/sdb1> /boot/grub-efi-sdb vfat defaults,noatime 0 2

# update-initramfs -u

# mkdir /boot/grub

# chmod 700 /boot/grub

# mkdir -p /boot/grub-efi-sda/EFI/grub-efi-sda

# mkdir -p /boot/grub-efi-sdb/EFI/grub-efi-sdb

# cp /usr/sbin/update-grub{,.bak}

# vim /usr/sbin/update-grub-efi
#!/bin/sh
set -e
grub-mkconfig -o /boot/grub/grub.cfg "$@"
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sda/EFI/grub-efi-sda/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sdb/EFI/grub-efi-sdb/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg

# chmod +x /usr/sbin/update-grub-efi

# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub

# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub2

# dpkg-divert --add /usr/sbin/update-grub

# dpkg-divert --add /usr/sbin/update-grub2

# update-grub

# efibootmgr -c -d /dev/sda -p 1 -w -L "GRUB EFI (/dev/sda)" -l /EFI/grub-efi-sda/grubx64.efi

# efibootmgr -c -d /dev/sdb -p 1 -w -L "GRUB EFI (/dev/sdb)" -l /EFI/grub-efi-sdb/grubx64.efi

# apt-get install openssh-server

# systemctl enable ssh

# vim /etc/ssh/sshd_config
> Ensure: PasswordAuthentication yes
> Ensure: PermitRootLogin yes

# vim /etc/network/interfaces.d/...
> Create your required network interface configurations

# passwd

# apt-get install busybox dropbear

# vim /etc/dropbear-initramfs/authorized_keys
> Paste SSH pubkey for Dropbear Unlocking...

# chmod 400 /etc/dropbear-initramfs/authorized_keys

# update-initramfs -u

# exit

$ umount /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/boot/grub-efi-sda /mnt/boot/grub-efi-sdb /mnt/boot /mnt

$ reboot
@vogelfreiheit
Copy link

vogelfreiheit commented Oct 14, 2018

Reproducing this in a VM gives 'Device or resource busy' when attempting to format the sda1 EFI partition.

@bharrisau
Copy link

bharrisau commented Mar 25, 2019

Edit: this needs sed -i "s/^#CRYPTSETUP=$/CRYPTSETUP=y/" /etc/cryptsetup-initramfs/conf-hook to ensure the crypto modules are available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment