Manually set up encryption

Help with issues regarding installation of Debian

Manually set up encryption

Postby Scorpion » 2020-02-09 19:47

I want to install debian 10 with encryption on a notebook.
I can use the "lvm with encryption" option (guided partitioning).
But I want to mount /root on a separated partition, that is an unavailable option.

Do I need lvm to use encryption?
How can I set up encryption manually?

This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
User avatar
Scorpion
 
Posts: 144
Joined: 2018-10-17 11:38

Re: Manually set up encryption

Postby p.H » 2020-02-10 07:16

Scorpion wrote:But I want to mount /root on a separated partition

Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.
Scorpion wrote:Do I need lvm to use encryption?

No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.

Scorpion wrote:How can I set up encryption manually?

Select manual partitioning instead of guided partitioning.
Create partitions.
Create encrypted volumes.

Scorpion wrote:This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.

There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)
p.H
 
Posts: 1258
Joined: 2017-09-17 07:12

Re: Manually set up encryption

Postby Scorpion » 2020-02-10 18:14

Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.

Because I login as root, so instead of /home I mount /root on a separate partition, but now that I am using timeshift seems pointless.
No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.

This pc has only 1 hard disk that I will completely use with debian 10. This requires only 1 encrypted volume, right? At this point I can mount everything in the same partition, no separate /root or /home.
Since this is a notebook it won' t probably get new hard disks, but seems better to have lvm as you said.
There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)

My question was about the partitions, I remember that there was something different with the legacy bios.

When manually partitioning with a uefi pc (no lvm no encryption), I create a partition to be used as uefi bootable partition, size 500 MB.
Absolutely I do not require this to be encrypted.
Now I can see that the mount point is: /boot/efi. (Debian 10 pc upgraded from 9).

Maybe I have to simply select some other bootable partition option.

Then I create an ext 4 partition with mount point /, another optional ext4 partition with mount point /home (or /root in my case).
And (optional but useful) swap partition.

If I have to create a lvm with encryption I suppose that won' t be so easy.

I used the "lvm with encryption" option (guided partitioning). All files in the same partition.
I can see:
Image https://ibb.co/QfBkjg5 image link

Since I can view that after sda2 there is sda5 I suspect that there are some partitions to be set.
User avatar
Scorpion
 
Posts: 144
Joined: 2018-10-17 11:38

Re: Manually set up encryption

Postby p.H » 2020-02-10 19:01

Scorpion wrote:Because I login as root

This is also a bad idea, and does not explain why you need a separate /root.

Scorpion wrote:This pc has only 1 hard disk

A "physical volume" (PV) is an LVM container. It has nothing to do with a hard disk. It can be a whole disk, a partition, a RAID array, an encrypted volume...

Scorpion wrote:This requires only 1 encrypted volume, right?

Only if you use LVM. If you do not use LVM, you need to create separate encrypted volumes for /, /root, swap...

Scorpion wrote:My question was about the partitions, I remember that there was something different with the legacy bios.

EFI boot requires an "EFI system partition".
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).

Scorpion wrote:Maybe I have to simply select some other bootable partition option.

Huh ?

Scorpion wrote:If I have to create a lvm with encryption I suppose that won' t be so easy.

Select manual partitioning.
Create an ext4 partition for /boot.
Create a partition configured as physical volume for encryption.
Enter encryption submenu.
Create an encrypted volume with the the 2nd partition.
Exit encryption submenu.
Configure the encrypted volume as physical volume for LVM.
Enter LVM submenu.
Create a new volume group.
Add the encrypted volume as physical volume to the volume group.
Create logical volumes for /, /root, swap...
IMPORTANT : if you are unsure about volume sizes, leave free space in the volume group so that you can extend any logical volumes if needed.
Exit LVM submenu.
Configure each logical volume for what it is intended.

Without LVM :

Select manual partitioning.
Create an ext4 partition for /boot.
Create partitions configured as physical volumes for encryption for /, /root, swap...
Enter encryption submenu.
Create an encrypted volume with each encrypted partition.
Exit encryption submenu.
Configure each encrypted volume for what it is intended.
p.H
 
Posts: 1258
Joined: 2017-09-17 07:12

Re: Manually set up encryption

Postby Scorpion » 2020-02-11 07:51

This is also a bad idea, and does not explain why you need a separate /root.

I love to use root. :D
Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.
You erase all the system data (/) but leave /root (or /home) so you will keep all your personal data and configurations.
But now that I am using timeshift seems pointless.
Huh ?

If I select ext4 I can use it as mount point for /, /root, /home or /var etc.
Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.
The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.
Maybe there was some other legacy bios option (an option like when selecting ext4 or swap), anyway you answered:
EFI boot requires an "EFI system partition".
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).

So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?
User avatar
Scorpion
 
Posts: 144
Joined: 2018-10-17 11:38

Re: Manually set up encryption

Postby p.H » 2020-02-11 08:29

Scorpion wrote:Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.

Did you check what happens when the init system fails to mount /root and you try to open a session as root ?

Scorpion wrote:If I select ext4 I can use it as mount point for /, /root, /home or /var etc.Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.

Do not confuse the EFI system partition (FAT) and the /boot partition (any Unix-like filesystem supported by the boot loader).

Scorpion wrote:The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.

Because the boot loader may not support ext4. GRUB 2 does. Unpatched GRUB legacy does not. Not sure about LILO.

Scorpion wrote:So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?

No, legacy BIOS uses neither the BIOS boot partition nor the /boot partition. It only uses the boot disk MBR. GRUB 2 for BIOS boot (grub-pc) uses the BIOS boot partition when installed on a disk with a GPT partition table. The boot loader uses the /boot partition.
p.H
 
Posts: 1258
Joined: 2017-09-17 07:12

Re: Manually set up encryption

Postby Scorpion » 2020-02-12 07:51

Did you check what happens when the init system fails to mount /root and you try to open a session as root ?

Until now that never happened.
User avatar
Scorpion
 
Posts: 144
Joined: 2018-10-17 11:38


Return to Installation

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable