Hi,
Just practiced a minimal install using
debian-11.6.0-amd64-netinst.iso, running as a KVM. Custom partitions with LUKS is possible. Here are the high level steps
- Using Debian Installer (Graphical or Text mode OK)
- Partition method: Guided - use entire disk and set up encrypted LVM
- Partition scheme: Separate /home partition
- Complete the installation
- Boot a live CD and manually resize the encrypted Logical volumes
Debian Installer doesn't have any ability to customize of the encrypted logical volumes. The partitions size and logical volumes are assigned automatically. When completed, the file system looks like:
Code: Select all
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sr0 11:0 1 1024M 0 rom
vda 254:0 0 5G 0 disk
├─vda1 254:1 0 512M 0 part /boot/efi
├─vda2 254:2 0 488M 0 part /boot
└─vda3 254:3 0 4G 0 part
└─vda3_crypt 253:0 0 4G 0 crypt
├─LuckyLuke--vg-root 253:1 0 1.6G 0 lvm /
├─LuckyLuke--vg-swap_1 253:2 0 976M 0 lvm [SWAP]
└─LuckyLuke--vg-home 253:3 0 1.4G 0 lvm /home
Notice in particular the /boot/efi and /boot partitions are UN-encrypted. The unencrypted /boot could be a potential weakness., explained here
Pwning Past Whole Disk Encryption, 2011. In my case, it's a home desktop computer that doesn't travel much so it's OK.
The custom partitions created by Debian Installer are root, /home, swap as Logical volumes in the Volume group named LuckyLuke-vg. Fortunately, this is what I wanted (separate /home partition) so Debian installer has helped to simplify quite some manual steps. If you want a different custom partition layout, you must go full manual. There are many docs you can lookup on the Internet, one of such could be
Ubuntu doc: Full_Disk_Encryption_Howto_2019
However I still would like to change the size of the Logical volumes. After completing Debian installation, boot a live CD. I used
SystemRescue Live ISO
Code: Select all
# list encrypted partition
blkid | grep crypto_LUKS
#--> /dev/vda3: UUID="268ea206-ef7e-4939-9d50-df8155152b86" TYPE="crypto_LUKS" PARTUUID="37e2170f-b708-48e2-b383-8fb265ab71bf"
# Open LUKS container on /dev/vda3 and and sets up a device mapping <name>
cryptsetup open --type luks /dev/vda3 LuckyLuke_crypt
# confirm the "LVM on LUKS" working
# Notice the device mapping name LuckyLuke_crypt is NOT used if the Logical Volume name
lvscan
ACTIVE '/dev/LuckyLuke-vg/root' [<1.64 GiB] inherit
ACTIVE '/dev/LuckyLuke-vg/swap_1' [976.00 MiB] inherit
ACTIVE '/dev/LuckyLuke-vg/home' [1.41 GiB] inherit
Resize the home Logical volume to absolute size
Code: Select all
lvresize -r -L 200M /dev/LuckyLuke-vg/home
lvresize doesn't work on swap filesystem so the LV used for swap must be delete + recreated with the same LV name swap_1 (which was chosen by Debian installer)
Code: Select all
lvremove /dev/LuckyLuke-vg/swap_1
# create LV with the same name as before: LVname=swap_1, VolGrp=LuckyLuke-vg
lvcreate -L 500M -n swap_1 LuckyLuke-vg
# Format the new swap space
mkswap /dev/LuckyLuke-vg/swap_1
Resize the root Logical volume to absolute size
Code: Select all
lvresize -r -L 3.2G /dev/LuckyLuke-vg/root
Review Final LV after resize
Code: Select all
lvscan
ACTIVE '/dev/LuckyLuke-vg/root' [3.20 GiB] inherit
ACTIVE '/dev/LuckyLuke-vg/home' [200.00 MiB] inherit
ACTIVE '/dev/LuckyLuke-vg/swap_1' [500.00 MiB] inherit
Reboot and that's it.