I know how to install Debian with separate /, swap, /var, /tmp and /home logical volumes, all of which being encrypted. But I don't see how one could re-install the OS in this situation without nuking /home.
I'd settle for just encrypting /home, instead of all 5 -- this way stuff that should be preserved is on its own partition.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
Indeed. A known missing feature of the Debian installer is that it cannot open and use existing LUKS encrypted devices. Maybe you could open the encrypted device by hand from an installer shell, but then you would also need to set up the new system (cryptsetup* packages, /etc/crypttab) by hand to use it.
Because of the above, you cannot mount an encrypted /home during installation and you will have to manually set up the new system to use it.
Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
Thanks for that! A critical keyword to add to search queries. Without it, my search results on this topic were much worse.
Re: If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
I found this very excellent guide, in case anyone else finds this thread looking for a solution: https://www.blakehartshorn.com/installi ... ypted-lvm/
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
I read it. IMO it contains a huge mistake : its says to create /target/etc/crypttab just before installing GRUB.
If you do so, the generated initramfs wil contain an empty crypttab and won't be able to open the encrypted volume at boot time. You may be lucky and a further installation step may trigger an initramfs update after you eventually created crypttab, but better create it before installing the base system if you want to be on the safe side.
If you do so, the generated initramfs wil contain an empty crypttab and won't be able to open the encrypted volume at boot time. You may be lucky and a further installation step may trigger an initramfs update after you eventually created crypttab, but better create it before installing the base system if you want to be on the safe side.
Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
Isn't that deterministic rather than luck-dependent? He writes:
Anyway, I used these instructions. The only thing that I'd add is that "blkid" is ambiguous (it prints many UUIDs, and it's not clear if you are supposed to use the one that's "crypt" or the one "crypt" uses). "cryptsetup luksUUID /dev/sda5" (or whatever your partition is) is better.Continue to the end of the installation. When the generating initramfs step appears, the image will be built using the crypttab file you just modified.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
The initramfs step appears during the installation of the base system, just after partitioning and long before GRUB installation, so at best it is luck-dependent and at worst it deterministically fails.
.
.
The one with the LUKS type.
Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
I'm no expert, but this:
Anyway, it worked for me. I actually remember "initramfs" blinking briefly where it was supposed to. I also don't see why some important step would be done non-deterministically.
I thank you for using the word "existing". That helped. I wasn't being funny.
does not follow from this:so at best it is luck-dependent and at worst it deterministically fails.
it could run twice (deterministically), couldn't it?
Anyway, it worked for me. I actually remember "initramfs" blinking briefly where it was supposed to. I also don't see why some important step would be done non-deterministically.
I thank you for using the word "existing". That helped. I wasn't being funny.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: [SOLVED] If you're using full-disk encryption, can you re-install the OS, while keeping /home intact?
Indeed the installer updates the initramfs during the last step "finish the installation", after installing GRUB. I did not remember that (or actually never paid attention).
Sorry for the noise.
Sorry for the noise.