Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Manually set up encryption [SOLVED]

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Manually set up encryption [SOLVED]

#1 Post by Scorpion »

I want to install debian 10 with encryption on a notebook.
I can use the "lvm with encryption" option (guided partitioning).
But I want to mount /root on a separated partition, that is an unavailable option.

Do I need lvm to use encryption?
How can I set up encryption manually?

This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
Last edited by Scorpion on 2020-07-26 15:15, edited 1 time in total.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Manually set up encryption

#2 Post by p.H »

Scorpion wrote:But I want to mount /root on a separated partition
Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.
Scorpion wrote:Do I need lvm to use encryption?
No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.
Scorpion wrote:How can I set up encryption manually?
Select manual partitioning instead of guided partitioning.
Create partitions.
Create encrypted volumes.
Scorpion wrote:This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption

#3 Post by Scorpion »

Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.
Because I login as root, so instead of /home I mount /root on a separate partition, but now that I am using timeshift seems pointless.
No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.
This pc has only 1 hard disk that I will completely use with debian 10. This requires only 1 encrypted volume, right? At this point I can mount everything in the same partition, no separate /root or /home.
Since this is a notebook it won' t probably get new hard disks, but seems better to have lvm as you said.
There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)
My question was about the partitions, I remember that there was something different with the legacy bios.

When manually partitioning with a uefi pc (no lvm no encryption), I create a partition to be used as uefi bootable partition, size 500 MB.
Absolutely I do not require this to be encrypted.
Now I can see that the mount point is: /boot/efi. (Debian 10 pc upgraded from 9).

Maybe I have to simply select some other bootable partition option.

Then I create an ext 4 partition with mount point /, another optional ext4 partition with mount point /home (or /root in my case).
And (optional but useful) swap partition.

If I have to create a lvm with encryption I suppose that won' t be so easy.

I used the "lvm with encryption" option (guided partitioning). All files in the same partition.
I can see:
Image https://ibb.co/QfBkjg5 image link

Since I can view that after sda2 there is sda5 I suspect that there are some partitions to be set.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Manually set up encryption

#4 Post by p.H »

Scorpion wrote:Because I login as root
This is also a bad idea, and does not explain why you need a separate /root.
Scorpion wrote:This pc has only 1 hard disk
A "physical volume" (PV) is an LVM container. It has nothing to do with a hard disk. It can be a whole disk, a partition, a RAID array, an encrypted volume...
Scorpion wrote:This requires only 1 encrypted volume, right?
Only if you use LVM. If you do not use LVM, you need to create separate encrypted volumes for /, /root, swap...
Scorpion wrote:My question was about the partitions, I remember that there was something different with the legacy bios.
EFI boot requires an "EFI system partition".
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).
Scorpion wrote:Maybe I have to simply select some other bootable partition option.
Huh ?
Scorpion wrote:If I have to create a lvm with encryption I suppose that won' t be so easy.
Select manual partitioning.
Create an ext4 partition for /boot.
Create a partition configured as physical volume for encryption.
Enter encryption submenu.
Create an encrypted volume with the the 2nd partition.
Exit encryption submenu.
Configure the encrypted volume as physical volume for LVM.
Enter LVM submenu.
Create a new volume group.
Add the encrypted volume as physical volume to the volume group.
Create logical volumes for /, /root, swap...
IMPORTANT : if you are unsure about volume sizes, leave free space in the volume group so that you can extend any logical volumes if needed.
Exit LVM submenu.
Configure each logical volume for what it is intended.

Without LVM :

Select manual partitioning.
Create an ext4 partition for /boot.
Create partitions configured as physical volumes for encryption for /, /root, swap...
Enter encryption submenu.
Create an encrypted volume with each encrypted partition.
Exit encryption submenu.
Configure each encrypted volume for what it is intended.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption

#5 Post by Scorpion »

This is also a bad idea, and does not explain why you need a separate /root.
I love to use root. :D
Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.
You erase all the system data (/) but leave /root (or /home) so you will keep all your personal data and configurations.
But now that I am using timeshift seems pointless.
Huh ?
If I select ext4 I can use it as mount point for /, /root, /home or /var etc.
Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.
The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.
Maybe there was some other legacy bios option (an option like when selecting ext4 or swap), anyway you answered:
EFI boot requires an "EFI system partition".
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).
So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Manually set up encryption

#6 Post by p.H »

Scorpion wrote:Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.
Did you check what happens when the init system fails to mount /root and you try to open a session as root ?
Scorpion wrote:If I select ext4 I can use it as mount point for /, /root, /home or /var etc.Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.
Do not confuse the EFI system partition (FAT) and the /boot partition (any Unix-like filesystem supported by the boot loader).
Scorpion wrote:The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.
Because the boot loader may not support ext4. GRUB 2 does. Unpatched GRUB legacy does not. Not sure about LILO.
Scorpion wrote:So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?
No, legacy BIOS uses neither the BIOS boot partition nor the /boot partition. It only uses the boot disk MBR. GRUB 2 for BIOS boot (grub-pc) uses the BIOS boot partition when installed on a disk with a GPT partition table. The boot loader uses the /boot partition.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption

#7 Post by Scorpion »

Did you check what happens when the init system fails to mount /root and you try to open a session as root ?
Until now that never happened.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption [SOLVED]

#8 Post by Scorpion »

I reinstalled the system with manual partitioning without lvm.
I have 3 encrypted partitions: /, /root and swap.

Why does it ask the password twice? Is it normal?

mm3100
Posts: 336
Joined: 2020-10-21 21:39
Has thanked: 8 times
Been thanked: 13 times

Re: Manually set up encryption [SOLVED]

#9 Post by mm3100 »

It needs password to unlock / and /root. Since they are 2 different encrypted partitions.

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption [SOLVED]

#10 Post by Scorpion »

mm3100 wrote: 2021-08-31 14:58 It needs password to unlock / and /root. Since they are 2 different encrypted partitions.
It asks the password for / and swap, so not for /root.

Is there a way to type the password once?
It is the same for all the 3 partitions.

User avatar
cds60601
df -h | participant
df -h | participant
Posts: 698
Joined: 2017-11-25 05:58
Location: Florida
Has thanked: 129 times
Been thanked: 59 times

Re: Manually set up encryption [SOLVED]

#11 Post by cds60601 »

Scorpion wrote: 2021-08-31 17:41
mm3100 wrote: 2021-08-31 14:58 It needs password to unlock / and /root. Since they are 2 different encrypted partitions.
It asks the password for / and swap, so not for /root.

Is there a way to type the password once?
It is the same for all the 3 partitions.

Ideally, you would use a password when the system boots. For other partitions after the fact, you could setup key files. Still have the passwords stored in the initial slot, but add the key for something like say, slot 1.
Then, you can direct /etc/cryptsetup to look only in a certain slot for the key thus only prompting you for the password one time. I like using both so I have a way in no matter what. for example, if the key files are missing, I can still access via password.

I'm being vague, but this is what I do for my system.
Supercalifragilisticexpialidocious

User avatar
Scorpion
Posts: 389
Joined: 2018-10-17 11:38
Has thanked: 5 times

Re: Manually set up encryption [SOLVED]

#12 Post by Scorpion »

With "a password when the system boots" do you mean grub password? It is not very safe.

I made and added a key to the swap partitions. I can see it with luksDump.
I edited /etc/crypttab to use the key file but is not working.

Code: Select all

cryptsetup --test-passphrase -v --key-file /root/key luksOpen /dev/sda7
Confirms that the key file is fine.

I saw here https://unix.stackexchange.com/question ... ks-at-boot that I can use the keyutils package.

I tried the password caching script decrypt_keyctl and it works.

Post Reply