I wanted a safe, encrypted Debian install, parallel to my existing macOS install that I could nuke trivially at a moment's notice and would leave very little evidence behind. In my setup, if I zero'd partitions sda4->sda7 (can be done trivially from macOS or Debian), the next time I rebooted, it would revert to the original EFI System Partition, and I would be greeted by an unblemished factory macOS bootloader. Even if I was asked to decrypt my OS at customs, there would be no evidence of a previous debian install.
Do not attempt this guide if you are not familiar with linux. YOU WILL NUKE YOUR COMPUTER AND EVERYONE YOU LOVE WILL DIE. Please first read through the whole guide and make sure you are familiar with the utilities we will be using.
This has only been tested on my mid-2013 Retina Macbook Pro 15". It may not work on your device.
Since this whole process can take several hours to complete, if you have any data you care about on your macOS, you will have to make sure you have up-to-date, redundant, reliable backups of this data in order to avoid data loss. If all of your data is kept on a single disk, and something happens during the installation process, your data could be lost forever, so make sure that you have backed up your data to more than one location. If you have several hundred gigabytes of data like I do, this will take several hours if you do not have a fast disk. I would highly recommend the LaCie USB-C Rugged for this task as it has a fast interface and comes with cables to connect to both USB and USB-C, for future proofing! If you avoid the Apple Store you can actually get them for a very reasonable price.
Make sure to keep your encryption keys safe in a good password manager or you will have to start from scratch (although linux creds can be reset trivially with a live disk)
I'm assuming you're starting with a fresh-ish macOS device. You will need:
- A reliable backup drive containing an up-do-date backup of your macOS files
- (optional) a reduntant backup drive containing a second up-to-date backup to avoid a single point of failure
- 8GB+ USB drive for installing macOS
- (optional) second 8GB+ USB drive for installing debian (recommended so that you don't over-write your macOS installer)
- (optional) a usb-to-ethernet or thunderbolt-to-ethernet adapter (since it's unlikely the wireless drivers will work out of the box)
In order to safely install our dual boot setup, we're going to:
- back up your macOS data
- create a macOS installer USB
- use installer to wipe hard drive, reserve space for Debian, then install macOS fresh.
- create partitions for debian and reFind
- recommend temporarily disable firmware password so that you don't need to keep re-entering it each time you boot.
- app store download macOS Sierra
- terminal create usb: https://support.apple.com/en-au/HT201372
- boot macOS installer
- wipe hard drive
- create a MacOS Journaled encrypted partition with ~100GB of free space
- install MacOS with Filevault2
- don't restore your files just yet, there is a possibility you could mess up your macOS partition in the install process.
- If you need to, you can access your files by:
- enabling timemachine system tray icon
- option-clicking timemachine
- browse other disk
- Boot livedisk
- add stretch contrib to sources and install hfs utilities, cryptsetup and gparted
sudo -i
echo "deb http://ftp.debian.org/debian stretch main contrib non-free" >> /etc/apt/sources.list
apt update
apt install --yes hfsplus hfsutils hfsprogs cryptsetup gparted- using gparted, create a ~200mb hfs+ partition for refind with 128mb gap after Recovery HD. This will be referred to as the EFI System Partition or esp.
- leave the remainder un-allocated, it will be partitioned in the Debian install.
- Boot in to macOS
- Make sure you can see your newly created
- The instructions are here although they are out of date.
- Here are the commands I used:
# from downloaded refind directory
sudo mkdir -p /mnt/esp
sudo mount -t hfs /dev/disk0s4 /mnt/esp
sudo mkdir -p /mnt/esp/efi/refind
cp drivers_x64 icons refind_x64.efi refind.conf-sample tools_x64 /mnt/esp/efi/refind
sudo bless --setBoot --folder /mnt/esp/efi/refind --file /mnt/esp/efi/refind/refind_x64.efi- After blessing, reboot and ensure you can see the refind boot manager
With your fresh macOS install you can create the debian live disk
- download debian stretch live + non-free (i chose cinnamon)
- install brew
- brew cask install etch
- etch write debian live
Boot the live disk to install debian
-
create a ~500mb ext3 partition to store unencrypted boot stuff which will load the encrypted filesystem. This will be referred to as the boot partition.
-
You should end up with something that that looks like this:
fdisk -l
Disk /dev/sda: 931.9 GiB, 1000555581440 bytes, 1954210120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 61E77735-DBA6-48B4-93C1-093E26FB4A84
Device Start End Sectors Size Type
/dev/sda1 40 409639 409600 200M EFI System
/dev/sda2 409640 1757911311 1757501672 838G Apple Core storage
/dev/sda3 1757911312 1759180847 1269536 619.9M Apple boot
/dev/sda4 1759444992 1759854591 409600 200M Apple HFS/HFS+
/dev/sda5 1759854592 1760831487 976896 477M Linux filesystem
/dev/sda6 1937825792 1954209791 16384000 7.8G Linux swap
/dev/sda7 1760831488 1937825791 176994304 84.4G Linux filesystem
Disk /dev/mapper/sda7_crypt: 84.4 GiB, 90618986496 bytes, 176990208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytesDebian can be booted directly by rEFInd if we just tell it where to point to. I've added optional instructions to install a GRUB2-EFI bootloader. managing an extra layer in your bootloader chain is a pain in the ass (especially if it's GRUB2) but GRUB does have a nice recovery shell if shit hits the fan. I couldn't get the rEFInd shell working so I decided to go with GRUB2 for that bootloader redundancy. I didn't install a hybrid MBR/GPT because that's not great practice.
- boot in to live
- (optional) install openssh-server and log in with creds user/live if you don't want to keep swapping keyboards.
apt update
apt install openssh-server
systemctl restart sshd.service- enable contrib and nonfree packages for fs drivers and stuff
sudo -i
echo "deb http://ftp.debian.org/debian $(lsb_release -cs) main contrib non-free" >> /etc/apt/sources.list
apt update- install everything we need before we chroot
apt install --yes hfsplus hfsutils hfsprogs cryptsetup vim- (optional) install stuff for grub
grub-efi-amd64- decrypt and mount root, boot and EFI System partitions for chroot
root_dev= # enter the partition containing your encrypted root
boot_dev= # enter boot partition
esp_dev= # enter EFI System partition
cryptsetup luksOpen /dev/${root_dev} ${root_dev}_crypt
mount /dev/mapper/${root_dev}_crypt /mnt
mount /dev/${boot_dev} /mnt/boot
mkdir -p /mnt/boot/efi
mount /dev/${esp_dev} /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /dev/pts /mnt/dev/pts
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt- (optional) install GRUB2-EFI
# fix this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716927#20
echo "This file is required for booting" > "/boot/efi/EFI/$(lsb_release -cs)/mach_kernel"
echo "This file is required for booting" > /boot/efi/mach_kernel
grub-install --target x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id="$(lsb_release -cs)" --no-nvram- update initrd
update-initramfs -u- run this command to get the pure-efi stanza to add to /boot/efi/efi/refind/refind.conf :
cat << EOF
menuentry "Debian - vmlinuz" {
icon /EFI/refind/icons/os_debian.png
volume $(blkid -o export /dev/${boot_dev} | sed -E -n 's/^UUID=(\S+)/\1/p')
loader vmlinuz-$(uname -r)
initrd initrd.img-$(uname -r)
options "ro root=/dev/mapper/${root_dev}_crypt"
}
EOF
- (optional) run this command to get the GRUB2-EFI stanza for /boot/efi/efi/refind/refind.conf
cat << EOF
menuentry "Debian - vmlinuz" {
icon /EFI/refind/icons/os_debian.png
volume $(blkid -o export /dev/${boot_dev} | sed -E -n 's/^UUID=(\S+)/\1/p')
loader /grub/x86_64-efi/grub.efi
}
EOF
- i used these instructions to install drivers for my wireless card: https://wiki.debian.org/wl
macOS recovery mode does not allow you to repair your installation if rEFInd is the blessed bootloader.
When you attempt to repaid MacOS you will get This disk cannot be used to start up your computer
Apple has attempted to hide their own KB Article by redirecting it, but an archive can be found here: https://web.archive.org/web/20140926121354/http://support.apple.com/kb/TS3926
We need to resize the macOS partition using disk utility, but when we do that, it says You can't perform this resize unless it has a booter (target partition is probably too small)
So we need to convert the CoreStorage Logical Volume to a normal disk partition: https://apple.stackexchange.com/questions/176872/resizing-macintosh-hd-partition-to-use-free-space
so you have to revert to macOS using bless
sudo bless --setBoot --folder /System/Library/CoreServices --file /System/Library/CoreServices/boot.efi
or using the Startup Disk settings pane.
https://apple.stackexchange.com/questions/257056/corrupted-macos-partition-after-gparted
recreate all partitions:
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: hybrid
BSD: not present
APM: not present
GPT: present
Found valid GPT with hybrid MBR; using GPT.
Command (? for help): p
Disk /dev/sda: 1954210120 sectors, 931.8 GiB
Model: APPLE SSD SM1024
Sector size (logical/physical): 512/4096 bytes
Disk identifier (GUID): 61E77735-DBA6-48B4-93C1-093E26FB4A84
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1954210086
Partitions will be aligned on 8-sector boundaries
Total free space is 264445 sectors (129.1 MiB)
Number Start (sector) End (sector) Size Code Name
1 40 409639 200.0 MiB EF00 EFI System Partition Efi System s (Apple EFI)
2 409640 1757911311 838.0 GiB AF05 Apple Core Storage (Macintosh HD)
3 1757911312 1759180847 619.9 MiB AB00 Recovery HD (Apple Recovery)
4 1759444992 1759854591 200.0 MiB AF00 Apple HFS/HFS+ (Refind)
5 1759854592 1760831487 477.0 MiB 8300 Linux filesystem (GRUB)
6 1937825792 1954209791 7.8 GiB 8200 Linux swap (Swap)
7 1760831488 1937825791 84.4 GiB 8300 Linux filesystem (Debian)
Disk size is 1954210120 sectors (931.8 GiB)
MBR disk identifier: 0x00000000
MBR partitions:
Number Boot Start Sector End Sector Status Code
1 1 409639 primary 0xEE
2 * 409640 1757911311 primary 0xDA
3 1757911312 1759180847 primary 0xAF
4 1759444992 1759854591 primary 0xAF
Changed Partition ID 4 from AF00 to 8300. Wouldn't install
- encrypt swap
- beautiful config
information taken from:
- https://wiki.debian.org/MacBook
- http://www.thecrosseroads.net/2016/02/booting-a-zfs-root-via-uefi-on-debian/
- https://www.anchor.com.au/blog/2012/10/the-difference-between-booting-mbr-and-gpt-with-grub/
- http://www.rodsbooks.com/refind/installing.html#osx
- https://github.com/zfsonlinux/zfs/wiki/Dual-booting-OS-X-and-Debian-Jessie-with-ZFS-root,-cross-mounting-and-full-disk-encryption
- https://iocrunch.com/2014/02/linux-dual-boot-on-mac-with-full-disk-encryption/
- http://heeris.id.au/2014/ubuntu-plus-mac-pure-efi-boot/
- https://blog.jayway.com/2015/11/22/ubuntu-full-disk-encrypted-macosx/
- http://madduck.net/docs/cryptdisk/
- http://www.davideolianas.com/how-im-booting-linux-from-lvm-inside-luks-in-a-uefi-installation.html
- http://www.matthiaskauer.com/2015/03/install-boot-repair-on-debian-from-ubuntu-ppa/
- https://medium.com/@mmiglier/ubuntu-installation-on-usb-stick-with-pure-efi-boot-mac-compatible-469ad33645c9