Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[HowTo] [SOLVED] Install Debian bookworm Testing with LUKS and custom partitions

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Post Reply
Message
Author
User avatar
Ruminator
Posts: 23
Joined: 2023-03-06 04:05
Has thanked: 6 times
Been thanked: 1 time

[HowTo] [SOLVED] Install Debian bookworm Testing with LUKS and custom partitions

#1 Post by Ruminator »

Hi,

Looking to migrate my work machine from Ubuntu 22.04.2 Gnome to Debian Testing (bookworm), KDE. I would like to practice the install on a KVM VM. The difficulty is LUKS AND custom partitions. I used to have separate partitions boot, root, home, swap. This allows me to re-install OS while preserving /home partition. I hope this is still a good idea when using full disk encryption with LUKS.

Can you please give me some high level steps on how to proceed? I am reasonably OK with Linux, but this is my first time using Debian. Specs are:
  • 1TB disk, can be reformatted
  • UEFI boot mode + Secure boot enabled
  • Full disk encryption, separate partitions:boot, root, howm, swap. Preferably including the /boot partition in the encrypted volume as well
  • LUKS password: is it possible to use Yubikey instead of typing password?
EDIT: answered to my own question at post #8 below. However, I didn't experiment the Yubikey part to avoid typing LUKS passphrase. Hope I could overcome this obstacle sometimes later.
Last edited by donald on 2023-04-27 21:48, edited 3 times in total.
Reason: Thread became a HowTo. :) Moved here.

megagolgoth
Posts: 11
Joined: 2019-06-11 11:20
Been thanked: 2 times

Re: Install Debian bookworm Testing with LUKS and custom partitions

#2 Post by megagolgoth »

Hi,

If you want Full Disk Encryption (ie. FDE) with /boot encrypted, you have to use a live image, with Calamares as install software. I recommand you the Live USB with KDE ;)

Calamares can handle a FDE install, Debian Installer (ie. d-i), can't.

In Calamares just choose the custom partitioning method and setup your partitions (ext4, swap, etc...). For each partition, enable the encryption option, and set a password.

If you are booting in UEFI mode, you must also setup a non-encrypted partition (It's the UEFI bios who will read it) .

d-i must have a separate non-encrypted /boot : he can do it automatically if you choose the encrypted install method, or you have to do it if you choose the manual partitioning method.

I've spend recently few days testing this. I wanted to test back KDE ;) (last time was around 2001). I'm planning to migrate from Ubuntu Mate to Debian with KDE.

=> I think it could be a good suggestion to make for d-i, to support FDE.

User avatar
Ruminator
Posts: 23
Joined: 2023-03-06 04:05
Has thanked: 6 times
Been thanked: 1 time

Re: Install Debian bookworm Testing with LUKS and custom partitions

#3 Post by Ruminator »

Hi, thanks

Is it here that I should download the Live ISO? https://cdimage.debian.org/images/unoff ... so-hybrid/

The filename debian-live-11.6.0-amd64-kde+nonfree.iso suggests that this is the stable 11.6 version. I would like to try the Testing distro. Does it exists in Live ISO ? If so I would appreciate you show the download page. For some reason, Debian download page is quite confusing.

megagolgoth
Posts: 11
Joined: 2019-06-11 11:20
Been thanked: 2 times

Re: Install Debian bookworm Testing with LUKS and custom partitions

#4 Post by megagolgoth »

As far as I remember, for testing you could install stable and change the repo in /etc/apt/sources.list and "apt-get" a full update. or is it for sid ? There is a page explaining this.

For me, the stable version, maybe with backports repo is suficient. I've installed Debian 11.6 with KDE on a Thinkpad X13 Gen1 AMD one week ago, and it's working fine. For getting the wifi working I've to activate non-free and backports to get the packages needed.

If you take the time to read carefully, you will find exactly what you want. But there is a lot to read, and it's quite an effort to do. Even for myself it's not easy to do, but everything is here, and peacefully : RTFM ;)

User avatar
Ruminator
Posts: 23
Joined: 2023-03-06 04:05
Has thanked: 6 times
Been thanked: 1 time

Re: Install Debian bookworm Testing with LUKS and custom partitions

#5 Post by Ruminator »

It seems it is possible to setup Full Disk Encryption with Debian Installer from this StackExchange post: How to manually partition your Debian install with full disk encryption

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Install Debian bookworm Testing with LUKS and custom partitions

#6 Post by Bulkley »

Ruminator wrote: 2023-03-06 14:13 Looking to migrate my work machine from Ubuntu 22.04.2 Gnome to Debian Testing (bookworm), . . .
Why Testing? That is a development release, not an upgrade. Those new to Debian really should start out with Stable.

User avatar
Ruminator
Posts: 23
Joined: 2023-03-06 04:05
Has thanked: 6 times
Been thanked: 1 time

Re: Install Debian bookworm Testing with LUKS and custom partitions

#7 Post by Ruminator »

Bulkley wrote: 2023-03-12 16:28 Why Testing? That is a development release, not an upgrade. Those new to Debian really should start out with Stable.
From Chapter 3. Choosing a Debian distribution and How Debian Testing Works I feel OK with the rolling release model of Debian Testing for machines which are not critical. More specifically, I would like to use KDE Plasma v5.27.x (LTS version) which is not available in the stable Debian 11.6.

When Debian 12 will be released, I will switch my Dev machine from Testing to Stable.

User avatar
Ruminator
Posts: 23
Joined: 2023-03-06 04:05
Has thanked: 6 times
Been thanked: 1 time

Re: Install Debian bookworm Testing with LUKS and custom partitions

#8 Post by Ruminator »

Hi,

Just practiced a minimal install using debian-11.6.0-amd64-netinst.iso, running as a KVM. Custom partitions with LUKS is possible. Here are the high level steps
  • Using Debian Installer (Graphical or Text mode OK)
  • Partition method: Guided - use entire disk and set up encrypted LVM
  • Partition scheme: Separate /home partition
  • Complete the installation
  • Boot a live CD and manually resize the encrypted Logical volumes
Debian Installer doesn't have any ability to customize of the encrypted logical volumes. The partitions size and logical volumes are assigned automatically. When completed, the file system looks like:

Code: Select all

lsblk

NAME                       MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sr0                         11:0    1 1024M  0 rom
vda                        254:0    0    5G  0 disk
├─vda1                     254:1    0  512M  0 part  /boot/efi
├─vda2                     254:2    0  488M  0 part  /boot
└─vda3                     254:3    0    4G  0 part
  └─vda3_crypt             253:0    0    4G  0 crypt
    ├─LuckyLuke--vg-root   253:1    0  1.6G  0 lvm   /
    ├─LuckyLuke--vg-swap_1 253:2    0  976M  0 lvm   [SWAP]
    └─LuckyLuke--vg-home   253:3    0  1.4G  0 lvm   /home
Notice in particular the /boot/efi and /boot partitions are UN-encrypted. The unencrypted /boot could be a potential weakness., explained here Pwning Past Whole Disk Encryption, 2011. In my case, it's a home desktop computer that doesn't travel much so it's OK.

The custom partitions created by Debian Installer are root, /home, swap as Logical volumes in the Volume group named LuckyLuke-vg. Fortunately, this is what I wanted (separate /home partition) so Debian installer has helped to simplify quite some manual steps. If you want a different custom partition layout, you must go full manual. There are many docs you can lookup on the Internet, one of such could be Ubuntu doc: Full_Disk_Encryption_Howto_2019

However I still would like to change the size of the Logical volumes. After completing Debian installation, boot a live CD. I used SystemRescue Live ISO

Code: Select all

# list encrypted partition
blkid | grep crypto_LUKS
#--> /dev/vda3: UUID="268ea206-ef7e-4939-9d50-df8155152b86" TYPE="crypto_LUKS" PARTUUID="37e2170f-b708-48e2-b383-8fb265ab71bf"

# Open LUKS container on /dev/vda3 and and sets up a device mapping <name>
cryptsetup open --type luks /dev/vda3 LuckyLuke_crypt

# confirm the "LVM on LUKS" working
# Notice the device mapping name LuckyLuke_crypt is NOT used if the Logical Volume name
lvscan
  ACTIVE            '/dev/LuckyLuke-vg/root' [<1.64 GiB] inherit
  ACTIVE            '/dev/LuckyLuke-vg/swap_1' [976.00 MiB] inherit
  ACTIVE            '/dev/LuckyLuke-vg/home' [1.41 GiB] inherit
Resize the home Logical volume to absolute size

Code: Select all

lvresize -r -L 200M /dev/LuckyLuke-vg/home
lvresize doesn't work on swap filesystem so the LV used for swap must be delete + recreated with the same LV name swap_1 (which was chosen by Debian installer)

Code: Select all

lvremove /dev/LuckyLuke-vg/swap_1

# create LV with the same name as before: LVname=swap_1, VolGrp=LuckyLuke-vg
lvcreate -L 500M -n swap_1 LuckyLuke-vg

# Format the new swap space
mkswap /dev/LuckyLuke-vg/swap_1
Resize the root Logical volume to absolute size

Code: Select all

lvresize -r -L 3.2G /dev/LuckyLuke-vg/root
Review Final LV after resize

Code: Select all

lvscan
  ACTIVE   '/dev/LuckyLuke-vg/root' [3.20 GiB] inherit
  ACTIVE   '/dev/LuckyLuke-vg/home' [200.00 MiB] inherit
  ACTIVE   '/dev/LuckyLuke-vg/swap_1' [500.00 MiB] inherit
Reboot and that's it.

Post Reply