Differences between revisions 24 and 25
Revision 24 as of 2014-04-10 15:17:47
Size: 10205
Comment: luksFormat should use random, NOT urandom (default!)
Revision 25 as of 2016-01-10 00:49:03
Size: 10201
Editor: PaulWise
Comment: update links
Deletions are marked like this. Additions are marked like this.
Line 30: Line 30:
# wget http://people.debian.org/~joeyh/d-i/images/daily/hd-media/boot.img.gz
# wget http://people.debian.org/~joeyh/d-i/images/daily/MD5SUMS
# wget https://d-i.debian.org/daily-images/i386/daily/hd-media/boot.img.gz
# wget https://d-i.debian.org/daily-images/i386/daily/MD5SUMS

Translation(s): English, ?Romanian

(!) ?Discussion

WARNING:
This page is being edited and is most likely to be inaccurate.
The method described in this page might not work for everyone.
If you use this method, you are on your own.

Preamble

This article:

  • describes how to create a Debian testing USB installer, and also how to use debootstrap to create a simple USB Debian system;

  • describes how to install Debian GNU/Linux on a AES-XTS encrypted LVM using debootstrap;

  • is targeted at i386 users, but with small modifications can be used by amd64 users too;
  • is intended as a step-by-step howto for those that want to install Squeeze, or with some modifications Sid, on AES-XTS encrypted LVM;
  • does not provide explanation for the commands listed. The explanation, for most of the commands, is provided in other documents.

Although the procedure of installing Debian using debootstrap is described in the Debian GNU/Linux Installation Guide, Appendix D, this article was made for those that need a step-by-step example of how to install on AES-XTS encrypted LVM. This article is not based entirely on the Installation Guide, and even if the procedure described here has been tested many times, it shouldn't be considered flawless nor the ultimate solution. This article also exists because, at the time of writing, the Debian Installer does not yet offer an option to install on a AES-XTS encrypted LVM. This procedure might be a time consuming one, for what is worth, and is not intended to be used for installing on a remote system. Before starting to follow this procedure, you should backup your data.

Create a Squeeze USB installer

If you don't want to use the next commands to make a Squeeze USB installer, you can install Squeeze using any other preferred method.

# mkdir ~/debinst
# cd ~/debinst
# wget https://d-i.debian.org/daily-images/i386/daily/hd-media/boot.img.gz
# wget https://d-i.debian.org/daily-images/i386/daily/MD5SUMS
# cat MD5SUMS | grep boot.img.gz
# md5sum boot.img.gz
# wget http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso
# wget http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/MD5SUMS.small
# cat MD5SUMS.small | grep debian-testing-i386-netinst.iso
# md5sum debian-testing-i386-netinst.iso
# zcat boot.img.gz > /dev/sda
# mkdir /mnt/debinst
# mount /dev/sda /mnt/debinst
# cp debian-testing-i386-netinst.iso /mnt/debinst
# umount /mnt/debinst
# rm -rf /mnt/debinst
# cd ~
# rm -rf debinst

How to use the installer has been explained in many in other documents.

Create a base Debian GNU/Linux system

Create a base Debian GNU/Linux system on a USB drive. This will be used to setup the encrypted LVM and to backup some files from the Squeeze install.

# dpkg --get-selections > selections.list
# dd if=/dev/zero of=/dev/sda
# cfdisk /dev/sda
# mkfs.ext4 /dev/sda1
# mkdir /mnt/debian
# mount /dev/sda1 /mnt/debian
# aptitude update
# aptitude install debootstrap
# debootstrap squeeze /mnt/debian http://ftp.us.debian.org/debian
# mkdir /mnt/debian/root/files
# cp /etc/fstab /mnt/debian/root/files
# cp /etc/hosts /mnt/debian/root/files
# cp /etc/network/interfaces /mnt/debian/root/files
# cp selections.list /mnt/debian/root/files
# LANG=C chroot /mnt/debian

Inside the chroot run these commands:

# dpkg-reconfigure tzdata
# mount proc /proc -t proc
# mount sysfs /sys -t sysfs
# mount devpts /dev/pts -t devpts
# cp ~/files/fstab /etc
# nano /etc/fstab

The file should contain something like:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda1 / ext4 defaults,errors=remount-ro 0 1

Press Ctl+X to exit the editor.

# cp ~/files/hosts /etc
# cp ~/files/interfaces /etc/network
# aptitude update
# aptitude install linux-image-686
# umount /dev/pts

Press Ctrl+D to exit from the chroot.

# mount --bind /dev /mnt/debian/dev
# LANG=C chroot /mnt/debian

Inside the chroot enter these commands:

# mount devpts /dev/pts -t devpts
# aptitude install grub-pc
# passwd
# umount /dev/pts
# umount /sys
# umount /proc

Press Ctrl+D to exit from the chroot.

# umount /mnt/debian/dev
# umount /mnt/debian

Reboot from the USB and login as root using the password you have setup earlier.

Install on AES-XTS encrypted LVM

If you want to wipe all the data on the hard drive, you can use the next command, but this is not mandatory. This is a time consuming process.

# dd if=/dev/urandom of=/dev/hda

Before seting up the AES-XTS encrypted LVM, we must make sure that the update-initramfs command will work later.
To test if is working or not, run:

# update-initramfs -k all -u -v

If it is working, then you can proceed to the next commands. If it will freeze, you have to reset the system, eg. press the reset button. I have no explanation for this behavior nor for this pseudo-solution. I am sorry, but it is beyond my knowledge. If you must reboot, then run this command again. Do the same thing if it will freeze again. Odds are that if you did reboot and it worked, then it won't freeze again until you reboot, but if it will freeze again when running the command later, after the encrypted LVM was setup, the reset is the only solution i have found so far. Hopefully it won't freeze.

# cfdisk /dev/hda
# aptitude update
# aptitude install cryptsetup lvm2
# cryptsetup -c aes-xts-plain -s 512 --use-random -y luksFormat /dev/hda6
# cryptsetup luksOpen /dev/hda6 debian_pv
# pvcreate /dev/mapper/debian_pv
# vgcreate debian_vg /dev/mapper/debian_pv
# lvcreate -L 10G -n root_lv debian_vg
# lvcreate -L 1G -n swap_lv debian_vg
# lvcreate -l 100%FREE -n home_lv debian_vg
# mkfs.ext4 /dev/hda5
# mkfs.ext4 /dev/mapper/debian_vg-root_lv
# mkswap -f /dev/mapper/debian_vg-swap_lv
# mkfs.ext4 /dev/mapper/debian_vg-home_lv
# mkdir /mnt/debian
# mount /dev/mapper/debian_vg-root_lv /mnt/debian
# mkdir /mnt/debian/boot
# mount /dev/hda5 /mnt/debian/boot
# mkdir /mnt/debian/home
# mount /dev/mapper/debian_vg-home_lv /mnt/debian/home
# aptitude install debootstrap
# debootstrap squeeze /mnt/debian http://ftp.us.debian.org/debian
# mkdir /mnt/debian/root/files
# cp ~/files/* /mnt/debian/root/files
# LANG=C chroot /mnt/debian

Inside the chroot run these commands:

# dpkg-reconfigure tzdata
# mount proc /proc -t proc
# mount sysfs /sys -t sysfs
# mount devpts /dev/pts -t devpts
# cp ~/files/fstab /etc
# nano /etc/fstab

The file should contain something like:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 /boot ext4 defaults 0 2
/dev/mapper/debian_vg-root_lv / ext4 defaults,errors=remount-ro 0 1
/dev/mapper/debian_vg-swap_lv none swap sw 0 0
/dev/mapper/debian_vg-home_lv / ext4 defaults 0 2

Press Ctl+X to exit the editor.

# cp ~/files/hosts /etc
# cp ~/files/interfaces /etc/network
# aptitude update
# aptitude install linux-image-686
# aptitude install cryptsetup lvm2
# nano /etc/crypttab

The file should contain something like:

# <target name> <source device> <key file> <options>
debian_pv /dev/hda6 none luks,tries=3

Press Ctl+X to exit the editor.

# nano /etc/initramfs-tools/modules

The file should contain something like:

# List of modules that you want to include in your initramfs.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
xts
aes_i586

Press Ctl+X to exit the editor.

# update-initramfs -k all -u -v
# umount /dev/pts

Press Ctrl+D to exit from the chroot.

# mount --bind /dev /mnt/debian/dev
# LANG=C chroot /mnt/debian

Inside the chroot enter these commands:

# mount devpts /dev/pts -t devpts
# aptitude install grub-pc
# passwd
# umount /dev/pts
# umount /sys
# umount /proc

Press Ctrl+D to exit from the chroot.

# umount /mnt/debian/dev
# umount /mnt/debian
# reboot

Boot from the hard drive.

Install anything else needed

You can use the next 2 commands to clone the packages installed by the Squeeze installer.

# dpkg --set-selections < ~/files/selections.list
# apt-get dselect-upgrade

You should also add a normal user using the adduser command. Please consider running as normal user most of the time and only su to root if you must.
You should now reboot once more, but this is not mandatory.

Remember that the encryption is only a measure of protection and it is just a part of the process that it is called security.
Please consider taking other measures to harden your Debian GNU/Linux system. This have been covered in other documents.

Enjoy AES-XTS encryption and hope that if any vulnerabilities are to be found in the future you will not be the first one affected and that you will have time to find a solution before your data get's compromised.