This documents guides you through the process to install Debian Stretch with Full Disk Encryption. The following requirements exist:
- Mainboard with UEFI-Support
- Debian Stretch Live CD booted from UEFI
- Two unformatted, unpartitioned HDDs/SSDs for Software RAID1 with mdmadm
After following this guide, you will end up with a setup like this:
- Redundant GRUB Standalone EFI installation on both disks
- Fully-encrypted "/boot" partition (LUKS on MDADM), unlockable through console or serial terminal
- Fully-encrypted "/" LVM volume (LVM on LUKS on MDADM), unlockable through console or serial terminal or dropbear (SSH)
- Auto-mount of "/boot" partition once entering "/" through 4096bit LUKS key (no need to enter passphrase twice)
- Fully integrated into standardized Debian update processes (e.g.: no manual initramfs changes needed after kernel upgrades)
- Ability to sign your GRUB EFI installation with own Secure Boot keys (not part of this guide)
Without further ado, here are all the required steps:
$ hostname <HOSTNAME>
$ export DOMAIN=<DOMAIN>
$ echo -e "127.0.0.1 $(hostname -s).$DOMAIN $(hostname -s)\n::1 $(hostname -s).$DOMAIN $(hostname -s)" > /etc/hosts
$ apt-get install gdisk cryptsetup lvm2 dosfstools debootstrap tree vim mdadm
$ gdisk /dev/sda
> o
> n, <blank>, <blank>, +512M, ef00
> n, <blank>, <blank>, +512M, fd00
> n, <blank>, <blank>, <blank>, fd00
> p
Number Start (sector) End (sector) Size Code Name
1 2048 1050623 512.0 MiB EF00 EFI System
2 1050624 2099199 512.0 MiB FD00 Linux RAID
3 2099200 20971486 9.0 GiB FD00 Linux RAID
> w
$ gdisk /dev/sdb
> Repeat partition configuration...
$ mdadm --create /dev/md/boot --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
$ mdadm --create /dev/md/lvm --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3
$ mkfs.vfat -F32 /dev/sda1
$ mkfs.vfat -F32 /dev/sdb1
$ cryptsetup luksFormat /dev/md/lvm
$ cryptsetup open /dev/md/lvm crypto-lvm
$ pvcreate /dev/mapper/crypto-lvm
$ vgcreate vgc-main /dev/mapper/crypto-lvm
$ lvcreate -L5G -n lvc-root vgc-main
$ mkfs.ext4 /dev/mapper/vgc--main-lvc--root
$ mount /dev/mapper/vgc--main-lvc--root /mnt
$ cryptsetup luksFormat /dev/md/boot
$ cryptsetup open /dev/md/boot crypto-boot
$ mkfs.ext2 /dev/mapper/crypto-boot
$ mkdir /mnt/boot
$ chmod 000 /mnt/boot
$ chattr +i /mnt/boot
$ mount /dev/mapper/crypto-boot /mnt/boot
$ mkdir /mnt/boot/grub-efi-sd{a,b}
$ chmod 000 /mnt/boot/grub-efi-sd{a,b}
$ chattr +i /mnt/boot/grub-efi-sd{a,b}
$ mount /dev/sda1 /mnt/boot/grub-efi-sda
$ mount /dev/sdb1 /mnt/boot/grub-efi-sdb
$ debootstrap --arch amd64 stretch /mnt http://mirror.switch.ch/ftp/mirror/debian
$ mount -t proc none /mnt/proc
$ mount -t tmpfs none /mnt/tmp
$ mount -o bind /dev /mnt/dev
$ mount -o bind /sys /mnt/sys
$ LANG=C chroot /mnt /bin/bash
# apt-get install grub2-common grub-efi vim cryptsetup lvm2 mdadm vim tree xz-utils
# blkid /dev/md/boot
# blkid /dev/md/lvm
> Copy UUID strings
# vim /etc/lvm/lvm.conf
> Modify: use_lvmetad = 1 --> use_lvmetad = 0
# systemctl disable lvm2-lvmetad.socket lvm2-lvmetad.service
# vim /etc/default/grub
> Modify: GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 ip=<IP ADDRESS>::<IP GATEWAY>:<IP NETMASK>::<DEVICE>:off"
> Add: GRUB_ENABLE_CRYPTODISK=y
> Add: GRUB_TERMINAL="console serial"
> Add: GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
# apt-get install linux-image-amd64
# dd bs=512 count=8 if=/dev/urandom of=/etc/crypto-boot.lkey
# chmod 400 /etc/crypto-boot.lkey
# chattr +i /etc/crypto-boot.lkey
# cryptsetup luksAddKey /dev/md/boot /etc/crypto-boot.lkey
# vim /etc/crypttab
crypto-lvm UUID=<UUID of /dev/md/lvm> none luks
crypto-boot UUID=<UUID of /dev/md/boot> /etc/crypto-boot.lkey luks
# vim /etc/fstab
/dev/mapper/vgc--main-lvc--root / ext4 defaults 0 1
/dev/mapper/crypto-boot /boot ext2 defaults,noatime 0 2
UUID=<UUID of /dev/sda1> /boot/grub-efi-sda vfat defaults,noatime 0 2
UUID=<UUID of /dev/sdb1> /boot/grub-efi-sdb vfat defaults,noatime 0 2
# update-initramfs -u
# mkdir /boot/grub
# chmod 700 /boot/grub
# mkdir -p /boot/grub-efi-sda/EFI/grub-efi-sda
# mkdir -p /boot/grub-efi-sdb/EFI/grub-efi-sdb
# cp /usr/sbin/update-grub{,.bak}
# vim /usr/sbin/update-grub-efi
#!/bin/sh
set -e
grub-mkconfig -o /boot/grub/grub.cfg "$@"
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sda/EFI/grub-efi-sda/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sdb/EFI/grub-efi-sdb/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg
# chmod +x /usr/sbin/update-grub-efi
# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub
# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub2
# dpkg-divert --add /usr/sbin/update-grub
# dpkg-divert --add /usr/sbin/update-grub2
# update-grub
# efibootmgr -c -d /dev/sda -p 1 -w -L "GRUB EFI (/dev/sda)" -l /EFI/grub-efi-sda/grubx64.efi
# efibootmgr -c -d /dev/sdb -p 1 -w -L "GRUB EFI (/dev/sdb)" -l /EFI/grub-efi-sdb/grubx64.efi
# apt-get install openssh-server
# systemctl enable ssh
# vim /etc/ssh/sshd_config
> Ensure: PasswordAuthentication yes
> Ensure: PermitRootLogin yes
# vim /etc/network/interfaces.d/...
> Create your required network interface configurations
# passwd
# apt-get install busybox dropbear
# vim /etc/dropbear-initramfs/authorized_keys
> Paste SSH pubkey for Dropbear Unlocking...
# chmod 400 /etc/dropbear-initramfs/authorized_keys
# update-initramfs -u
# exit
$ umount /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/boot/grub-efi-sda /mnt/boot/grub-efi-sdb /mnt/boot /mnt
$ reboot
Reproducing this in a VM gives 'Device or resource busy' when attempting to format the sda1 EFI partition.