Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Guide which explains an installation of Debian Stretch with full disk encryption (including "/boot" partition, containing initramfs+kernel) by using Debian Jessie Live.

Debian Stretch - Full Disk Encryption

This documents guides you through the process to install Debian Stretch with Full Disk Encryption. The following requirements exist:

  • Mainboard with UEFI-Support
  • Debian Stretch Live CD booted from UEFI
  • Two unformatted, unpartitioned HDDs/SSDs for Software RAID1 with mdmadm

After following this guide, you will end up with a setup like this:

  • Redundant GRUB Standalone EFI installation on both disks
  • Fully-encrypted "/boot" partition (LUKS on MDADM), unlockable through console or serial terminal
  • Fully-encrypted "/" LVM volume (LVM on LUKS on MDADM), unlockable through console or serial terminal or dropbear (SSH)
  • Auto-mount of "/boot" partition once entering "/" through 4096bit LUKS key (no need to enter passphrase twice)
  • Fully integrated into standardized Debian update processes (e.g.: no manual initramfs changes needed after kernel upgrades)
  • Ability to sign your GRUB EFI installation with own Secure Boot keys (not part of this guide)

Without further ado, here are all the required steps:

$ hostname <HOSTNAME>

$ export DOMAIN=<DOMAIN>

$ echo -e " $(hostname -s).$DOMAIN $(hostname -s)\n::1 $(hostname -s).$DOMAIN $(hostname -s)" > /etc/hosts

$ apt-get install gdisk cryptsetup lvm2 dosfstools debootstrap tree vim mdadm

$ gdisk /dev/sda
> o
> n, <blank>, <blank>, +512M, ef00
> n, <blank>, <blank>, +512M, fd00
> n, <blank>, <blank>, <blank>, fd00
> p
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System
   2         1050624         2099199   512.0 MiB   FD00  Linux RAID
   3         2099200        20971486   9.0 GiB     FD00  Linux RAID
> w

$ gdisk /dev/sdb
> Repeat partition configuration...

$ mdadm --create /dev/md/boot --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2

$ mdadm --create /dev/md/lvm --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3

$ mkfs.vfat -F32 /dev/sda1

$ mkfs.vfat -F32 /dev/sdb1

$ cryptsetup luksFormat /dev/md/lvm

$ cryptsetup open /dev/md/lvm crypto-lvm

$ pvcreate /dev/mapper/crypto-lvm

$ vgcreate vgc-main /dev/mapper/crypto-lvm

$ lvcreate -L5G -n lvc-root vgc-main

$ mkfs.ext4 /dev/mapper/vgc--main-lvc--root

$ mount /dev/mapper/vgc--main-lvc--root /mnt

$ cryptsetup luksFormat /dev/md/boot

$ cryptsetup open /dev/md/boot crypto-boot

$ mkfs.ext2 /dev/mapper/crypto-boot

$ mkdir /mnt/boot

$ chmod 000 /mnt/boot

$ chattr +i /mnt/boot

$ mount /dev/mapper/crypto-boot /mnt/boot

$ mkdir /mnt/boot/grub-efi-sd{a,b}

$ chmod 000 /mnt/boot/grub-efi-sd{a,b}

$ chattr +i /mnt/boot/grub-efi-sd{a,b}

$ mount /dev/sda1 /mnt/boot/grub-efi-sda

$ mount /dev/sdb1 /mnt/boot/grub-efi-sdb

$ debootstrap --arch amd64 stretch /mnt

$ mount -t proc none /mnt/proc

$ mount -t tmpfs none /mnt/tmp

$ mount -o bind /dev /mnt/dev

$ mount -o bind /sys /mnt/sys

$ LANG=C chroot /mnt /bin/bash

# apt-get install grub2-common grub-efi vim cryptsetup lvm2 mdadm vim tree xz-utils

# blkid /dev/md/boot
# blkid /dev/md/lvm
> Copy UUID strings

# vim /etc/lvm/lvm.conf
> Modify: use_lvmetad = 1 --> use_lvmetad = 0

# systemctl disable lvm2-lvmetad.socket lvm2-lvmetad.service

# vim /etc/default/grub
> Modify: GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 ip=<IP ADDRESS>::<IP GATEWAY>:<IP NETMASK>::<DEVICE>:off"
> Add: GRUB_TERMINAL="console serial"
> Add: GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

# apt-get install linux-image-amd64

# dd bs=512 count=8 if=/dev/urandom of=/etc/crypto-boot.lkey

# chmod 400 /etc/crypto-boot.lkey

# chattr +i /etc/crypto-boot.lkey

# cryptsetup luksAddKey /dev/md/boot /etc/crypto-boot.lkey

# vim /etc/crypttab
crypto-lvm UUID=<UUID of /dev/md/lvm> none luks
crypto-boot UUID=<UUID of /dev/md/boot> /etc/crypto-boot.lkey luks

# vim /etc/fstab
/dev/mapper/vgc--main-lvc--root / ext4 defaults 0 1
/dev/mapper/crypto-boot /boot ext2 defaults,noatime 0 2
UUID=<UUID of /dev/sda1> /boot/grub-efi-sda vfat defaults,noatime 0 2
UUID=<UUID of /dev/sdb1> /boot/grub-efi-sdb vfat defaults,noatime 0 2

# update-initramfs -u

# mkdir /boot/grub

# chmod 700 /boot/grub

# mkdir -p /boot/grub-efi-sda/EFI/grub-efi-sda

# mkdir -p /boot/grub-efi-sdb/EFI/grub-efi-sdb

# cp /usr/sbin/update-grub{,.bak}

# vim /usr/sbin/update-grub-efi
set -e
grub-mkconfig -o /boot/grub/grub.cfg "$@"
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sda/EFI/grub-efi-sda/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg
grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --output /boot/grub-efi-sdb/EFI/grub-efi-sdb/grubx64.efi --format x86_64-efi --compress=xz --themes='' /boot/grub/grub.cfg

# chmod +x /usr/sbin/update-grub-efi

# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub

# ln -sf /usr/sbin/update-grub-efi /usr/sbin/update-grub2

# dpkg-divert --add /usr/sbin/update-grub

# dpkg-divert --add /usr/sbin/update-grub2

# update-grub

# efibootmgr -c -d /dev/sda -p 1 -w -L "GRUB EFI (/dev/sda)" -l /EFI/grub-efi-sda/grubx64.efi

# efibootmgr -c -d /dev/sdb -p 1 -w -L "GRUB EFI (/dev/sdb)" -l /EFI/grub-efi-sdb/grubx64.efi

# apt-get install openssh-server

# systemctl enable ssh

# vim /etc/ssh/sshd_config
> Ensure: PasswordAuthentication yes
> Ensure: PermitRootLogin yes

# vim /etc/network/interfaces.d/...
> Create your required network interface configurations

# passwd

# apt-get install busybox dropbear

# vim /etc/dropbear-initramfs/authorized_keys
> Paste SSH pubkey for Dropbear Unlocking...

# chmod 400 /etc/dropbear-initramfs/authorized_keys

# update-initramfs -u

# exit

$ umount /mnt/dev /mnt/proc /mnt/sys /mnt/tmp /mnt/boot/grub-efi-sda /mnt/boot/grub-efi-sdb /mnt/boot /mnt

$ reboot

This comment has been minimized.

Copy link

commented Oct 14, 2018

Reproducing this in a VM gives 'Device or resource busy' when attempting to format the sda1 EFI partition.


This comment has been minimized.

Copy link

commented Mar 25, 2019

Edit: this needs sed -i "s/^#CRYPTSETUP=$/CRYPTSETUP=y/" /etc/cryptsetup-initramfs/conf-hook to ensure the crypto modules are available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.