Last active
March 5, 2021 15:17
-
-
Save benjaminblack/464d1f854e374ad1a3d6 to your computer and use it in GitHub Desktop.
Installing Debian with an encrypted boot partition
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Create "rescue" partition, do minimal installation, boot (replace ? with root partition device): | |
| [Grub console:] | |
| > set root=(hd0,gptX) | |
| > linux /vmlinuz root=/dev/? | |
| > initrd /initrd.img | |
| > boot | |
| Bring it up to date and install cryptsetup. | |
| Reboot into Debian installer again, and create encrypted partition + unencrypted boot partition; install; boot (replace ? with root partition device): | |
| [Grub console:] | |
| > set root=(hd0,gptX) /*gptX is boot partition*/ | |
| > linux /vmlinuz root=/dev/mapper/?_crypt | |
| > initrd /initrd.img | |
| > boot | |
| Bring it up to date. | |
| Reboot to rescue. Mount crypto, chroot to it, and rename ?_crypt to something simpler (replace ?1 with root partition device, ?2 with boot partition device): | |
| # mkdir /mnt/crypt | |
| # cryptsetup luksOpen /dev/?1 root_crypt | |
| # mount /dev/mapper/root_crypt /mnt/crypt | |
| # mount --bind /dev /mnt/crypt/dev | |
| # mount --bind /proc /mnt/crypt/proc | |
| # mount --bind /sys /mnt/crypt/sys | |
| # mount /dev/?2 /mnt/crypt/boot | |
| # mount --bind /boot/efi /mnt/crypt/boot/efi | |
| # chroot /mnt/crypt /bin/bash | |
| # nano /etc/fstab [change ?_crypt to something like root_crypt] | |
| # nano /etc/crypttab [change ?_crypt to something like root_crypt] | |
| # update-initrd -u -k all | |
| # cd /tmp | |
| # gunzip --stdout /initrd.img | cpio --extract | |
| # cd conf/conf.d | |
| # cat cryptroot | |
| Reboot and test change. | |
| Reboot to rescue. Remount and chroot to crypto, binding /boot to /mnt/crypt/oldboot: | |
| # cryptsetup luksOpen /dev/? root_crypt | |
| # mount /dev/mapper/root_crypt /mnt/crypt | |
| # mkdir /mnt/crypt/oldboot | |
| # mount /dev/? /mnt/crypt/oldboot | |
| # mount --bind /dev /mnt/crypt/dev | |
| # mount --bind /proc /mnt/crypt/proc | |
| # mount --bind /sys /mnt/crypt/sys | |
| # mkdir /mnt/crypt/boot/efi | |
| # mount --bind /boot/efi /mnt/crypt/boot/efi | |
| # chroot /mnt/crypt /bin/bash | |
| Copy /oldboot to /boot and remove line from fstab: | |
| # cp /oldboot/* /boot | |
| # nano /etc/fstab | |
| Write down UUID of partition which contains crypto, and UUID of crypto partition: | |
| # blkid | |
| Reboot into crypto: | |
| [Grub console:] | |
| > insmod luks | |
| > cryptomount -u "UUIDofrawpartitionNoHyphens" | |
| > ls -l | |
| > search --fs-uuid --set=root "uuid-of-crypto-device" | |
| > linux /vmlinuz root=/dev/mapper/root_crypt | |
| > initrd /initrd.img | |
| > boot | |
| Create keyfile and add it to cryptdevice: | |
| # dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin | |
| # chmod go-rw /crypto_keyfile.bin | |
| # cryptsetup luksAddKey /dev/? /crypto_keyfile.bin | |
| # cryptsetup luksDump /dev/? | |
| Edit /etc/crypttab to use the keyfile and pass it to cat command: | |
| > root_crypt /dev/? /crypto_keyfile.bin luks,keyscript=/bin/cat | |
| Create initramfs script to copy keyfile into initrd, in /etc/initramfs-tools/hooks/crypto_keyfile: | |
| > #!/bin/sh | |
| > cp /crypto_keyfile.bin "${DESTDIR}" | |
| Make script executable: | |
| # chmod +x /etc/initramfs-tools/hooks/crypto_keyfile | |
| Make /boot readable only by root: | |
| chmod -R g-rwx,o-rwx /boot | |
| Update the initrd: | |
| # update-initramfs -u | |
| Check that keyfile exists on initrd: | |
| # lsinitramfs -l /initrd.img | |
| Install grub (warning message is incorrect; must add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub). | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment