[SOLVED] Questions about Debian full disk encryption

If none of the more specific forums is the right place to ask

[SOLVED] Questions about Debian full disk encryption

Postby f.r3d » 2017-10-07 18:02

Hi everyone!
Pretty soon I am going to format my laptop (Debian 8 Gnome) and install Debian 9 Gnome with full disk encryption thanks to the netinstaller. I would like to create a separate partition for home, in case I need to reinstall Debian (as if Debian ever needed to be reinstalled) but is it (easily) possible with full disk encryption and using Debian netinstaller? Also, is it possible to resize those partitions? I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines. Is it possible to use system-config-lvm for that purpose? I have never used logical volumes before. If all of this is impossible, I will simply use a single partition. Thank you for your help!
Last edited by f.r3d on 2017-10-16 19:39, edited 6 times in total.
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: Questions about Debian full disk encryption

Postby alan stone » 2017-10-08 03:38

f.r3d wrote:I have never used...

How about using a web search engine? And search for example this, this and this. It won't hurt stretching search terms with "debian 9..." or "debian stretch..." either. :wink:
Debian 8.9 32bit, WM: Openbox
Computers are like air conditioners. They work fine until you start opening windows. - Author Unknown
Programming is like sex. One mistake and you have to support it for the rest of your life. - Michael Sinz
User avatar
alan stone
 
Posts: 220
Joined: 2011-10-22 14:08
Location: In my body.

Re: Questions about Debian full disk encryption

Postby debiman » 2017-10-08 08:16

if you admittedly have a hard time doing your own research, i really do not recommend full disk encryption!

imho, the benefits of it, compared to home encryption, have no relation to the additional effort.
in other words, full disk encryption is much harder than encrypting a non-boot partition.
User avatar
debiman
 
Posts: 1626
Joined: 2013-03-12 07:18

Re: Questions about Debian full disk encryption

Postby f.r3d » 2017-10-08 08:42

I don't mean FULL encryption, I mean all partitions except /boot. I did a bit of research here, here and here. I did some try and retry in a virtualbox to manually create a system with an unencrypted /boot and an encrypted logical volume manager within which are / , /home and swap. Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source). Now I know how to manually create an encrypted system, I just need to learn how to properly resize the logical volumes and try to reinstall the system by only formatting the / logical volume.
Last edited by f.r3d on 2017-10-08 08:56, edited 1 time in total.
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: Questions about Debian full disk encryption

Postby GarryRicketson » 2017-10-08 08:51

by f.r3d » I just need to learn how to properly resize the logical volumes


how to properly resize the logical volumes on Debian
You should be able to use 'fdisk', there is very detailed information here:
https://www.tecmint.com/extend-and-reduce-lvms-in-linux/
and more:
https://wiki.debian.org/LVM
and even more in some of the other results.
also very useful :
Code: Select all
man fdisk

and
Code: Select all
man resize2fs
 

============ edited ====
I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines.

I don't know of any GUI partition manager that is very versatile, you are going
to just need to learn about using the CLI, it would be wise to get a usb stick,
one that has no data, and practice a little, try some basic partitions at first,
after you are comfortable with fdisk, and some of the other commands, you will be ready to try it on the real hd.
Last edited by GarryRicketson on 2017-10-08 13:18, edited 1 time in total.
"What we expect you have already Done"

Before doing anything, read the Debian documentation:
Debian Documentation
How to ask the smart way
Debian Foro Español
======================
For the Birds
User avatar
GarryRicketson
 
Posts: 4464
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Questions about Debian full disk encryption

Postby f.r3d » 2017-10-08 09:42

So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system (source). In that case I will simply create a unique / logical volume ( / + /home) and a swap.
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: Questions about Debian full disk encryption

Postby debiman » 2017-10-08 17:09

f.r3d wrote:Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source).

thanks for sharing this!
User avatar
debiman
 
Posts: 1626
Joined: 2013-03-12 07:18

Re: Questions about Debian full disk encryption

Postby p.H » 2017-10-13 19:46

f.r3d wrote:So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system.

Yes, it is a flaw of the Debian installer. But it is not totally impossible. There are workarounds using the installer embedded shell.
Open the encrypted device with cryptsetup luksOpen.
Activate logical volumes with vgchange -ay.
Create /target/etc/crypttab.
Go back to the installer interface to assign mountpoints to the volumes, proceed with the installation
Before rebooting, install cryptsetup with apt-install.
p.H
 
Posts: 177
Joined: 2017-09-17 07:12

Re: [SOLVED] Questions about Debian full disk encryption

Postby f.r3d » 2017-10-13 20:06

Thank you very much for this tip!
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: [SOLVED] Questions about Debian full disk encryption

Postby f.r3d » 2017-10-14 08:41

@p.H could you be a bit more specific in your explanation please? I'm having a hard time finding the (correct) console in the netinstaller and using the commands...
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: [SOLVED] Questions about Debian full disk encryption

Postby p.H » 2017-10-14 09:16

I have only dones this once on a test installation and did not write all the steps, so I may have forget some of them or the right order.

Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Open the encrypted device with a command such as
Code: Select all
cryptsetup luksOpen /dev/sda3 sda3_crypt

Type the passphrase as required.
Enable all logical volumes.
Code: Select all
vgscan
vgchange -ay

Create /target/etc/crypttab with nano or whatever you like and fill it with the line to open the encrypted device. See the crypttab man page (not available in the installer) for details. Use the UUID displayed by blkid instead of the device name, because the device name might change across reboots.
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with
Code: Select all
apt-install cryptsetup

Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Proceed as usual.

If something goes wrong when booting the installed system, you can start again the installer in rescue mode to fix things.
p.H
 
Posts: 177
Joined: 2017-09-17 07:12

Re: Questions about Debian full disk encryption

Postby f.r3d » 2017-10-15 13:40

OK, so I read your instructions and I completed them with what I found here, here, here and here.

Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Now you need to install/load the tools to open the encrypted partition.
Code: Select all
anna-install cryptsetup-udeb partman-crypto-dm
depmod -a
cryptsetup luksOpen /dev/sda5 sda5_crypt

Type the passphrase as required.
Enable all logical volumes.
Code: Select all
vgscan
vgchange -ay

Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with
Code: Select all
apt-install cryptsetup

Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Finish the installation as usual.

Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs) as opposed to when you create and install a new LUKS+LVM during a typical installation.
Grub will give an error to load one partition (the encrypted partition).
To fix this, use the recovery mode from the netinstaller (the recovery mode on the system does not work since it is kept in the / in the encrypted partition).
The netinstaller will ask you the passphrase to open the encrypted partition. Open it. Start a console from the encrypted / .
Code: Select all
nano /etc/crypttab

Add this line
Code: Select all
sda5_crypt UUID=[UUID of physical device holding LUKS+LVM partition] none luks

Then regenerate initramfs
Code: Select all
update-initramfs -u -k all

Save and restart the computer and it's done!

I don't know if you can make it shorter than that by directly editing /etc/crypttab from the netinstaller when reinstalling...
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: [SOLVED] Questions about Debian full disk encryption

Postby p.H » 2017-10-15 15:02

f.r3d wrote:Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs)
I said to create crypttab from the installer shell in my instructions.

f.r3d wrote:Grub will give an error to load one partition (the encrypted partition).

I do not remember this. Or at least it was not a fatal error, but only a failure to load a font or background image.
GRUB only needs to read the contents of /boot, which is not encryted, in order to load the kernel image and the initramfs. Then the initramfs needs to unlock the encrypted volume in order to find and mount the root filesystem.

f.r3d wrote:UUID of physical device holding LUKS+LVM partition

It is not a physical device but a LUKS container.
p.H
 
Posts: 177
Joined: 2017-09-17 07:12

Re: [SOLVED] Questions about Debian full disk encryption

Postby f.r3d » 2017-10-15 15:11

I said to create crypttab from the installer shell in my instructions.

ok but I do not understand how you do that...
Debian 9 Gnome 64bits
LDLC Aurore BB5-I3-8-S1 Slim (Clevo W55xEU)
Intel Core i3-3120M / Intel HD Graphics 4000 / RAM 8 Go / Samsung SSD 840 120Go
User avatar
f.r3d
 
Posts: 55
Joined: 2016-07-28 16:39
Location: France

Re: [SOLVED] Questions about Debian full disk encryption

Postby p.H » 2017-10-15 15:40

It's the same procedure as you did in the installer rescue mode. Just prefix the path with /target because it is the mount point for the installed system root in the installer.

It may be difficult to copy the UUID by hand. So I usually append the output of blkid to the file and then edit the line with nano.
Code: Select all
blkid /dev/sda5 >> /target/etc/crypttab
nano /target/etc/crypttab
p.H
 
Posts: 177
Joined: 2017-09-17 07:12

Next

Return to General Questions

Who is online

Users browsing this forum: marzapane and 8 guests

fashionable