Encrypted partitions with Debian installer

Share your wisdom. Not for support questions!

Moderator: How-to Curator

Encrypted partitions with Debian installer

Postby fsmithred » March 14th, 2011, 10:52 pm

Here's the discussion:

This guide describes and mostly shows with pictures the steps involved in creating encrypted partitions with the Debian installer. The partitioning scheme is to have a small /boot partition, which is not encrypted, and separate / and /home partitions which are encrypted.

Under Partitioning method, choose Manual.
Select the disk you want to partition.
If it's a new disk, you'll be asked to create a new empty partition table. Yes.

You'll be shown a partition table. If it's a new disk, the free space will account for the entire drive. If it's a previously partitioned disk, you can delete the partitions on it and make new ones. (You could use existing partitions, and some of the next steps will be slightly different. You'll figure it out.)
Select free space.
http://www.picvalley.net/v.php?p=u/1799 ... T87g5P.PNG

Select "Create a new partition"
Enter the size you want for the new partition. If you want the /boot partition first, pick a small size (50 - 150 MB should be enough, unless you plan to have a truckload of kernels, or if you want to put a rescue system like grml in your /boot partition.)
Type for the new partition: Primary, put it at the beginning

Then you get a window with a list of choices for the partition. Select the filesystem and the mount point:
Use as: ext2 (probably)
Mount point: /boot
Then select "Done setting up the partition"
http://www.picvalley.net/v.php?p=u/2928 ... h0f16d.PNG

You get dropped back to the partition table. choose free space and create new partition for "/" (the root filesystem) Size: 8-10GB is usually enough, as little as 4 or more than 10 if you want, or all the remaining space if you don't want separate /home.
Use as: physical volume for encryption
http://www.picvalley.net/v.php?p=u/1892 ... IA46Nb.PNG

Then select "Done setting up the partition"
http://www.picvalley.net/v.php?p=u/2466 ... plXJV6.PNG

You get dropped back to the partition table. Choose free space again and make another partition, for /home. Use the remaining space.
Use as: physical volume for encryption.
Then select "Done setting up the partition"

You get dropped back to the partition table again, now there's no free space
http://www.picvalley.net/v.php?p=u/2413 ... wPAp5X.PNG

Configure encrypted volumes.
You'll have to agree to make changes to the disk
Create encrypted volumes
Select (use the space bar to check the box) the devices to be encrypted. In this case, /dev/sda2 and /dev/sda3
http://www.picvalley.net/v.php?p=u/2527 ... 46sHQQ.PNG

Select Finish, then confirm that you really want to erase data on each partition.
At some point in here, you get asked to create a passphrase for each encrypted partition. I don't remember if it's at the beginning or end of this step.
(Note: This step writes random data to the disk, which can take a long time. You might want to go to bed at this point, then get up and go to work. It should be finished by the time you get back, depending on the size of the disk. I believe this step can be skipped after you've done it once.)

When you get back to the partition table, select the first encrypted volume
http://www.picvalley.net/v.php?p=u/1625 ... m0Zfdj.PNG

Select the filesystem and the mount point:
Use as: ext3 or ext4
Mount point: /
Then select "Done setting up the partition"
http://www.picvalley.net/v.php?p=u/2926 ... LeW27k.PNG

Do the same for the second encrypted volume, and choose /home as the mount point.
Finish partitioning and write changes to the disk.
Finish the installation (run through the rest of the debian installer.)
When you reboot, you'll be asked for the passphrase for each encrypted partition. If you want to set it up so you only have to give one passphrase, you'll need to create keyfiles for any encrypted partitions beyond the root filesystem.

Adding a keyfile (optional)

Creating a keyfile will give you a way to open an encrypted partition without typing in the passphrase. This can be helpful if you have several encrypted partitions that need to be mounted at boot time, and you don't want to sit there waiting for passphrase prompts.

Check the size of the encryption key. The part we're interested in is labeled "MK bits:" In this case, I have only two encrypted partitions (/ and /home) and I'm checking the partition that holds my /home. To see all the keys for a particular encrypted volume, give the following command. You'll see that only Key Slot 0 is enabled at this point, because there's only one key (the passphrase you gave the volume during the install.)
Code: Select all
cryptsetup luksDump /dev/sda3

Here's the abbreviated output:
Code: Select all
LUKS header information for /dev/sda3

Version:          1
Cipher name:      aes
Cipher mode:      cbc-essiv:sha256
Hash spec:        sha1
Payload offset:   2056
MK bits:          256

It's a 256-bit key, which is 32 bytes. That's the number to use. With the following commands, make a directory to hold the keyfile, then create the key. You can give any name you want to the keyfile. The name in this example matches the name that the debian installer gives to the encrypted volume.
Code: Select all
mkdir /etc/keys
dd if=/dev/random of=/etc/keys/sda3_crypt bs=32 count=1

Set permissions on the key so that only root can read it:
Code: Select all
chmod 400 /etc/keys/sda3_crypt

Add the keyfile to a Key Slot. You'll be asked to "give any passphrase" which means you should give a valid passphrase for that volume. If you haven't previously added any passphrases, then there's only the one you gave it during the install.
Code: Select all
cryptsetup  luksAddKey  /dev/sda3  /etc/keys/sda3_crypt
If you do another 'luksDump' you'l see that Key Slot 1 is now enabled.

Next, edit /etc/crypttab to use the keyfile (replace "none" with the path to the keyfile for /dev/sda3.)
Code: Select all
# <target name>   <source device>      <key file>   <options>
sda2_crypt      /dev/sda2          none              luks
sda3_crypt      /dev/sda3          /etc/keys/sda3_crypt           luks

You're done. When you reboot, you won't be asked to enter a passphrase when the system wants to mount /home. It'll use the keyfile instead.

1. The keyfile does not have to be on the system. You could put it on some external media (floppy, usb, cd) and edit /etc/crypttab to point to the file. You could do this with a keyfile for "/" and not have to type any passphrases to open partitions.
2. DO NOT put the keyfile in the /boot partition! That would be like leaving the car keys in the ignition with the windows rolled down.
3. Don't put the keyfile in the partition that it's supposed to open. That's like locking your keys in the trunk/boot of your car.
4. I think it's possible to delete the passphrase and only use the keyfile, but that might be a bad idea. You need to have at least one valid key at all times, and if your keyfile becomes corrupted, you won't be able to add another keyfile or passphrase.
Posts: 287
Joined: February 11th, 2011, 4:14 am

Return to HowTo

Who is online

Users browsing this forum: No registered users and 1 guest