Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] Questions about Debian full disk encryption

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

[SOLVED] Questions about Debian full disk encryption

#1 Post by f.r3d »

Hi everyone!
Pretty soon I am going to format my laptop (Debian 8 Gnome) and install Debian 9 Gnome with full disk encryption thanks to the netinstaller. I would like to create a separate partition for home, in case I need to reinstall Debian (as if Debian ever needed to be reinstalled) but is it (easily) possible with full disk encryption and using Debian netinstaller? Also, is it possible to resize those partitions? I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines. Is it possible to use system-config-lvm for that purpose? I have never used logical volumes before. If all of this is impossible, I will simply use a single partition. Thank you for your help!
Last edited by f.r3d on 2017-10-16 19:39, edited 6 times in total.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

User avatar
alan stone
Posts: 269
Joined: 2011-10-22 14:08
Location: In my body.

Re: Questions about Debian full disk encryption

#2 Post by alan stone »

f.r3d wrote:I have never used...
How about using a web search engine? And search for example this, this and this. It won't hurt stretching search terms with "debian 9..." or "debian stretch..." either. :wink:

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Questions about Debian full disk encryption

#3 Post by debiman »

if you admittedly have a hard time doing your own research, i really do not recommend full disk encryption!

imho, the benefits of it, compared to home encryption, have no relation to the additional effort.
in other words, full disk encryption is much harder than encrypting a non-boot partition.

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: Questions about Debian full disk encryption

#4 Post by f.r3d »

I don't mean FULL encryption, I mean all partitions except /boot. I did a bit of research here, here and here. I did some try and retry in a virtualbox to manually create a system with an unencrypted /boot and an encrypted logical volume manager within which are / , /home and swap. Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source). Now I know how to manually create an encrypted system, I just need to learn how to properly resize the logical volumes and try to reinstall the system by only formatting the / logical volume.
Last edited by f.r3d on 2017-10-08 08:56, edited 1 time in total.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Questions about Debian full disk encryption

#5 Post by GarryRicketson »

by f.r3d » I just need to learn how to properly resize the logical volumes
how to properly resize the logical volumes on Debian
You should be able to use 'fdisk', there is very detailed information here:
https://www.tecmint.com/extend-and-redu ... -in-linux/
and more:
https://wiki.debian.org/LVM
and even more in some of the other results.
also very useful :

Code: Select all

man fdisk
and

Code: Select all

man resize2fs 
 
============ edited ====
I know that gparted does not work with LUKS and gnome-disks utility cannot resize partitions. I know almost nothing about manipulating partitions with command lines.
I don't know of any GUI partition manager that is very versatile, you are going
to just need to learn about using the CLI, it would be wise to get a usb stick,
one that has no data, and practice a little, try some basic partitions at first,
after you are comfortable with fdisk, and some of the other commands, you will be ready to try it on the real hd.
Last edited by GarryRicketson on 2017-10-08 13:18, edited 1 time in total.

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: Questions about Debian full disk encryption

#6 Post by f.r3d »

So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system (source). In that case I will simply create a unique / logical volume ( / + /home) and a swap.
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Questions about Debian full disk encryption

#7 Post by debiman »

f.r3d wrote:Apparently encrypting the whole disk and using LVM is faster than only encrypting /home (source).
thanks for sharing this!

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Questions about Debian full disk encryption

#8 Post by p.H »

f.r3d wrote:So apparently it is still impossible for the Debian netinstaller (and any other I guess) to reuse an encrypted logical volume to reinstall the system.
Yes, it is a flaw of the Debian installer. But it is not totally impossible. There are workarounds using the installer embedded shell.
Open the encrypted device with cryptsetup luksOpen.
Activate logical volumes with vgchange -ay.
Create /target/etc/crypttab.
Go back to the installer interface to assign mountpoints to the volumes, proceed with the installation
Before rebooting, install cryptsetup with apt-install.

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: [SOLVED] Questions about Debian full disk encryption

#9 Post by f.r3d »

Thank you very much for this tip!
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: [SOLVED] Questions about Debian full disk encryption

#10 Post by f.r3d »

@p.H could you be a bit more specific in your explanation please? I'm having a hard time finding the (correct) console in the netinstaller and using the commands...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] Questions about Debian full disk encryption

#11 Post by p.H »

I have only dones this once on a test installation and did not write all the steps, so I may have forget some of them or the right order.

Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Open the encrypted device with a command such as

Code: Select all

cryptsetup luksOpen /dev/sda3 sda3_crypt
Type the passphrase as required.
Enable all logical volumes.

Code: Select all

vgscan
vgchange -ay
Create /target/etc/crypttab with nano or whatever you like and fill it with the line to open the encrypted device. See the crypttab man page (not available in the installer) for details. Use the UUID displayed by blkid instead of the device name, because the device name might change across reboots.
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with

Code: Select all

apt-install cryptsetup
Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Proceed as usual.

If something goes wrong when booting the installed system, you can start again the installer in rescue mode to fix things.

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: Questions about Debian full disk encryption

#12 Post by f.r3d »

OK, so I read your instructions and I completed them with what I found here, here, here and here.

Proceed in the installer until you reach the disk tool (partman) stage.
Switch to one of the shell consoles with Ctrl+Alt+F2 or Ctrl+Alt+F3 (Ctrl needed only from the GUI installer).
You can use commands such as fdisk -l or blkid to find where the encrypted partition is.
Now you need to install/load the tools to open the encrypted partition.

Code: Select all

anna-install cryptsetup-udeb partman-crypto-dm
depmod -a
cryptsetup luksOpen /dev/sda5 sda5_crypt
Type the passphrase as required.
Enable all logical volumes.

Code: Select all

vgscan
vgchange -ay
Switch back to the installer console with Alt+F1 (if text installer) or Alt+F5 (if GUI installer).
Program the installation of crypsetup in the installed system with

Code: Select all

apt-install cryptsetup
Go back to the general menu with "Previous" and enter the disk tool again. The logical volumes shoud be visible.
Finish the installation as usual.

Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs) as opposed to when you create and install a new LUKS+LVM during a typical installation.
Grub will give an error to load one partition (the encrypted partition).
To fix this, use the recovery mode from the netinstaller (the recovery mode on the system does not work since it is kept in the / in the encrypted partition).
The netinstaller will ask you the passphrase to open the encrypted partition. Open it. Start a console from the encrypted / .

Code: Select all

nano /etc/crypttab
Add this line

Code: Select all

sda5_crypt UUID=[UUID of physical device holding LUKS+LVM partition] none luks
Then regenerate initramfs

Code: Select all

update-initramfs -u -k all
Save and restart the computer and it's done!

I don't know if you can make it shorter than that by directly editing /etc/crypttab from the netinstaller when reinstalling...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] Questions about Debian full disk encryption

#13 Post by p.H »

f.r3d wrote:Now, the system will not be able to reboot correctly because the installation does not write /etc/crypttab (and then generate initramfs)
I said to create crypttab from the installer shell in my instructions.
f.r3d wrote:Grub will give an error to load one partition (the encrypted partition).
I do not remember this. Or at least it was not a fatal error, but only a failure to load a font or background image.
GRUB only needs to read the contents of /boot, which is not encryted, in order to load the kernel image and the initramfs. Then the initramfs needs to unlock the encrypted volume in order to find and mount the root filesystem.
f.r3d wrote:UUID of physical device holding LUKS+LVM partition
It is not a physical device but a LUKS container.

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: [SOLVED] Questions about Debian full disk encryption

#14 Post by f.r3d »

I said to create crypttab from the installer shell in my instructions.
ok but I do not understand how you do that...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [SOLVED] Questions about Debian full disk encryption

#15 Post by p.H »

It's the same procedure as you did in the installer rescue mode. Just prefix the path with /target because it is the mount point for the installed system root in the installer.

It may be difficult to copy the UUID by hand. So I usually append the output of blkid to the file and then edit the line with nano.

Code: Select all

blkid /dev/sda5 >> /target/etc/crypttab
nano /target/etc/crypttab

User avatar
f.r3d
Posts: 75
Joined: 2016-07-28 16:39
Location: France
Has thanked: 4 times

Re: [SOLVED] Questions about Debian full disk encryption

#16 Post by f.r3d »

So, as I suspected, it is pointless to configure /target/etc/crypttab before installing the system because the file is going to be erased...
Debian 11 Gnome 64bit
Thinkpad T460
4X Intel Core i7-6600U / 8GB Ram / Intel HD Graphics 520 / 256GB SSD /

Post Reply