Public Blog

• encrypting all partitions in debian laptop

  2021-02-21

  grub v2.02+dfsg1-20+deb10u3 supports the possibility to boot from an encrypted /boot partition. However, the debian-installer of debian 10.8.0 "Buster" seems to not support encrypting /boot in a grub-compatible way out of the box.

  The following steps show how i installed a new debian system on my laptop with all linux partitions encrypted. Feel free to send me a message with any comments :-)

  Laptop's Disk Layout

  This laptop is a HP EliteBook 840 G1, with two disks inside. The first disk is a rotating HDD 2.5" connected via SATA connector, with 1TB advertised capacity. The second disk is a solid-state disk, probably with a M.2 connector, with non-standard (small) form-factor and 128GB advertised capacity.

  The hostname will be borgaris (from icelandic borgarís, meaning thicker pieces of ice broken off from an "falling" glacier into the sea, or generally a piece of ice floe; see enwiki:Hafís and enwiki:Borgarísjaki)

  Partition layout already in place is as follows:

  /dev/sda ... the 1TB 2.5" HDD
  /dev/sda1 ... some partition for MS-Windows 10
  /dev/sda2 ... some partition for MS-Windows 10
  /dev/sda3 ... some partition for MS-Windows 10
  /dev/sda4 ... 500+GB linux partition, intended /home
  
  /dev/sdb ... the 128GB SSD
  /dev/sdb1 ... 500MB linux partition, intended /boot
  /dev/sdb2 ... 90+GB linux partition, intended root
  /dev/sdb3 ... 16GB linux partition, intended swap (unused!)
  
  /dev/sdb is the intended boot disk from the BIOS's point of view (via MBR method).
  

  Steps

  • booting via a debian-live-10.8.0-amd64-kde+nonfree.iso usb-stick
  • choosing Debian Installer at the boot Main Menu.
  • The normal debian-installer procedure is followed, except for the interruptions noted below.
  • before debian installer goes into "partitioning disks" step, switch to a shell (e.g. on the F2 console):

    # install udeb package to get the `cryptsetup` command line tool and related
    # kernel modules
    anna-install cdebconf-newt-entropy
    anna-install cryptsetup-udeb crypto-dm-modules crypto-modules
    insmod /lib/modules/$(uname -r)/kernel/drivers/md/dm-crypt.ko
    
    # prevent warning message from `cryptsetup`
    mkdir -p /run/cryptsetup
    
    # make /boot luks1 crypted (grub does not support luks2)
    # make / and /home luks2 crypted:
    cryptsetup luksFormat --type luks1 /dev/sdb1
    cryptsetup luksFormat /dev/sdb2
    cryptsetup luksFormat /dev/sda4
    
    # open crypt devices, with descriptive naming
    cryptsetup open /dev/sdb1 borgaris_boot_crypted
    cryptsetup open /dev/sdb2 borgaris_root_crypted
    cryptsetup open /dev/sda4 borgaris_home_crypted
    
    # format filesystems btrfs:
    mkfs.btrf -L borgaris_boot_crypted /dev/mapper/borgaris_boot_crypted
    mkfs.btrf -L borgaris_root_crypted /dev/mapper/borgaris_root_crypted
    mkfs.btrf -L borgaris_home_crypted /dev/mapper/borgaris_home_crypted
    
    # mount at /target, in order for the debian-installer components be able
    # to use the create filesystem layout.
    # `noatime` mount option is chosed as a matter of personal preference.
    mkdir -p /target
    mount -t btrfs -o noatime /dev/mapper/borgaris_root_crypted /target
    mkdir -p /target/boot /target/home
    mount -t btrfs -o noatime /dev/mapper/borgaris_boot_crypted /target/boot
    mount -t btrfs -o noatime /dev/mapper/borgaris_home_crypted /target/home
    
    # in addition to the type-in passphrases, also create random key-files for
    # decrypting the partitions. the goal is to only enter the passphrase
    # once during boot
    umask 077
    mkdir /etc/luks-keys
    dd if=/dev/urandom of=/etc/luks-keys/borgaris_boot_crypted.key bs=1 count=1024
    dd if=/dev/urandom of=/etc/luks-keys/borgaris_root_crypted.key bs=1 count=1024
    dd if=/dev/urandom of=/etc/luks-keys/borgaris_home_crypted.key bs=1 count=1024
    
    # add the keys to the respective luks containers
    cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/borgaris_boot_crypted.key
    cryptsetup luksAddKey /dev/sdb2 /etc/luks-keys/borgaris_root_crypted.key
    cryptsetup luksAddKey /dev/sda4 /etc/luks-keys/borgaris_home_crypted.key
    
    # configure nice labels for the luks containers ("label" is not supported
    # in luks1)
    cryptsetup config /dev/sdb2 --label borgaris_root_crypted
    cryptsetup config /dev/sda4 --label borgaris_home_crypted
    

    Now continue with the debian-installer

  • The partman component of the debian installer should pick up the filesystems mounted under /target but requires to specify which partition get's mounted at which mount point and with what mount options (borgaris_boot_crypted at /boot and so on). I did select those options, where partman did not perform any partitioning or formatting, but used the existing mounted filesystem.
  • After the basic system files where installed by the debian installer to /target, a red warning message came up, that installing the boot-loader did not work.
  Next manually fix the grub setup:

  chroot /target /bin/bash
  
  # fix /etc/crypttab
  cat >>/etc/crypttab <<EOF
  borgaris_boot_crypted UUID=.... /etc/luks-keys/borgaris_boot_crypted.key luks
  borgaris_root_crypted UUID=.... /etc/luks-keys/borgaris_root_crypted.key luks,initramfs
  borgaris_home_crypted UUID=.... /etc/luks-keys/borgaris_home_crypted.key luks,noearly
  EOF
  
  # manually enable crypted grub
  echo 'GRUB_ENABLE_CRYPTODISK="yes"' >> /etc/default/grub
  cat >>/etc/cryptsetup-initramfs/conf-hook <<EOF
  CRYPTSETUP=y
  KEYFILE_PATTERN="/etc/luks-keys/*.key"
  EOF
  cat >>/etc/initramfs-tools/initramfs.conf <<EOF
  UMASK=0077
  EOF
  grub-install /dev/sdb
  update-initramfs -uk all
  update-grub
  

  • now back in the debian-installer, choose Continue without boot-loader and let the installation finish.