Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[SOLVED] Questions about Debian full disk encryption
[SOLVED] Questions about Debian full disk encryption
Hi everyone!
Pretty soon I am going to format my laptop (Debian 8 Gnome) and install Debian 9 Gnome with full disk encryption thanks to the netinstaller. I would like to create a separate partition for home, in case I need to reinstall Debian (as if Debian ever needed to be reinstalled) but is it (easily) possible with full disk encryption and using Debian netinstaller? Also, is it possible to resize those partitions? I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines. Is it possible to use system-config-lvm for that purpose? I have never used logical volumes before. If all of this is impossible, I will simply use a single partition. Thank you for your help!
Pretty soon I am going to format my laptop (Debian 8 Gnome) and install Debian 9 Gnome with full disk encryption thanks to the netinstaller. I would like to create a separate partition for home, in case I need to reinstall Debian (as if Debian ever needed to be reinstalled) but is it (easily) possible with full disk encryption and using Debian netinstaller? Also, is it possible to resize those partitions? I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines. Is it possible to use system-config-lvm for that purpose? I have never used logical volumes before. If all of this is impossible, I will simply use a single partition. Thank you for your help!
Last edited by f.r3d on 2017-10-16 19:39, edited 6 times in total.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
- alan stone
- Posts: 269
- Joined: 2011-10-22 14:08
- Location: In my body.
Re: Questions about Debian full disk encryption
How about using a web search engine? And search for example this, this and this. It won't hurt stretching search terms with "debian 9..." or "debian stretch..." either.f.r3d wrote:I have never used...
Re: Questions about Debian full disk encryption
if you admittedly have a hard time doing your own research, i really do not recommend full disk encryption!
imho, the benefits of it, compared to home encryption, have no relation to the additional effort.
in other words, full disk encryption is much harder than encrypting a non-boot partition.
imho, the benefits of it, compared to home encryption, have no relation to the additional effort.
in other words, full disk encryption is much harder than encrypting a non-boot partition.
Re: Questions about Debian full disk encryption
I don't mean FULL encryption, I mean all partitions except /boot. I did a bit of research here, here and here. I did some try and retry in a virtualbox to manually create a system with an unencrypted /boot and an encrypted logical volume manager within which are / , /home and swap. Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source). Now I know how to manually create an encrypted system, I just need to learn how to properly resize the logical volumes and try to reinstall the system by only formatting the / logical volume.
Last edited by f.r3d on 2017-10-08 08:56, edited 1 time in total.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Questions about Debian full disk encryption
how to properly resize the logical volumes on Debianby f.r3d » I just need to learn how to properly resize the logical volumes
You should be able to use 'fdisk', there is very detailed information here:
https://www.tecmint.com/extend-and-redu ... -in-linux/
and more:
https://wiki.debian.org/LVM
and even more in some of the other results.
also very useful :
Code: Select all
man fdisk
Code: Select all
man resize2fs
I don't know of any GUI partition manager that is very versatile, you are goingI know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines.
to just need to learn about using the CLI, it would be wise to get a usb stick,
one that has no data, and practice a little, try some basic partitions at first,
after you are comfortable with fdisk, and some of the other commands, you will be ready to try it on the real hd.
Last edited by GarryRicketson on 2017-10-08 13:18, edited 1 time in total.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
Re: Questions about Debian full disk encryption
So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system (source). In that case I will simply create a unique / logical volume ( / + /home) and a swap.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Re: Questions about Debian full disk encryption
thanks for sharing this!f.r3d wrote:Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source).
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Questions about Debian full disk encryption
Yes, it is a flaw of the Debian installer. But it is not totally impossible. There are workarounds using the installer embedded shell.f.r3d wrote:So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system.
Open the encrypted device with cryptsetup luksOpen.
Activate logical volumes with vgchange -ay.
Create /target/etc/crypttab.
Go back to the installer interface to assign mountpoints to the volumes, proceed with the installation
Before rebooting, install cryptsetup with apt-install.
Re: [SOLVED] Questions about Debian full disk encryption
Thank you very much for this tip!
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Re: [SOLVED] Questions about Debian full disk encryption
@p.H could you be a bit more specific in your explanation please? I'm having a hard time finding the (correct) console in the netinstaller and using the commands...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] Questions about Debian full disk encryption
I have only dones this once on a test installation and did not write all the steps, so I may have forget some of them or the right order.
Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Open the encrypted device with a command such as
Type the passphrase as required.
Enable all logical volumes.
Create /target/etc/crypttab with nano or whatever you like and fill it with the line to open the encrypted device. See the crypttab man page (not available in the installer) for details. Use the UUID displayed by blkid instead of the device name, because the device name might change across reboots.
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with
Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Proceed as usual.
If something goes wrong when booting the installed system, you can start again the installer in rescue mode to fix things.
Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Open the encrypted device with a command such as
Code: Select all
cryptsetup luksOpen /dev/sda3 sda3_crypt
Enable all logical volumes.
Code: Select all
vgscan
vgchange -ay
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with
Code: Select all
apt-install cryptsetup
Proceed as usual.
If something goes wrong when booting the installed system, you can start again the installer in rescue mode to fix things.
Re: Questions about Debian full disk encryption
OK, so I read your instructions and I completed them with what I found here, here, here and here.
Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Now you need to install/load the tools to open the encrypted partition.
Type the passphrase as required.
Enable all logical volumes.
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with
Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Finish the installation as usual.
Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs) as opposed to when you create and install a new LUKS+LVM during a typical installation.
Grub will give an error to load one partition (the encrypted partition).
To fix this, use the recovery mode from the netinstaller (the recovery mode on the system does not work since it is kept in the / in the encrypted partition).
The netinstaller will ask you the passphrase to open the encrypted partition. Open it. Start a console from the encrypted / .
Add this line
Then regenerate initramfs
Save and restart the computer and it's done!
I don't know if you can make it shorter than that by directly editing /etc/crypttab from the netinstaller when reinstalling...
Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Now you need to install/load the tools to open the encrypted partition.
Code: Select all
anna-install cryptsetup-udeb partman-crypto-dm
depmod -a
cryptsetup luksOpen /dev/sda5 sda5_crypt
Enable all logical volumes.
Code: Select all
vgscan
vgchange -ay
Program the installation of crypsetup in the installed system with
Code: Select all
apt-install cryptsetup
Finish the installation as usual.
Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs) as opposed to when you create and install a new LUKS+LVM during a typical installation.
Grub will give an error to load one partition (the encrypted partition).
To fix this, use the recovery mode from the netinstaller (the recovery mode on the system does not work since it is kept in the / in the encrypted partition).
The netinstaller will ask you the passphrase to open the encrypted partition. Open it. Start a console from the encrypted / .
Code: Select all
nano /etc/crypttab
Code: Select all
sda5_crypt UUID=[UUID of physical device holding LUKS+LVM partition] none luks
Code: Select all
update-initramfs -u -k all
I don't know if you can make it shorter than that by directly editing /etc/crypttab from the netinstaller when reinstalling...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] Questions about Debian full disk encryption
I said to create crypttab from the installer shell in my instructions.f.r3d wrote:Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs)
I do not remember this. Or at least it was not a fatal error, but only a failure to load a font or background image.f.r3d wrote:Grub will give an error to load one partition (the encrypted partition).
GRUB only needs to read the contents of /boot, which is not encryted, in order to load the kernel image and the initramfs. Then the initramfs needs to unlock the encrypted volume in order to find and mount the root filesystem.
It is not a physical device but a LUKS container.f.r3d wrote:UUID of physical device holding LUKS+LVM partition
Re: [SOLVED] Questions about Debian full disk encryption
ok but I do not understand how you do that...I said to create crypttab from the installer shell in my instructions.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] Questions about Debian full disk encryption
It's the same procedure as you did in the installer rescue mode. Just prefix the path with /target because it is the mount point for the installed system root in the installer.
It may be difficult to copy the UUID by hand. So I usually append the output of blkid to the file and then edit the line with nano.
It may be difficult to copy the UUID by hand. So I usually append the output of blkid to the file and then edit the line with nano.
Code: Select all
blkid /dev/sda5 >> /target/etc/crypttab
nano /target/etc/crypttab
Re: [SOLVED] Questions about Debian full disk encryption
So, as I suspected, it is pointless to configure /target/etc/crypttab before installing the system because the file is going to be erased...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /