Translation(s): English, ?Romanian

(!) ?Discussion

WARNING:
This page is being edited and is most likely to be inaccurate.
The method described in this page might not work for everyone.
If you use this method, you are on your own.

Preamble

This article:

Although the procedure of installing Debian using debootstrap is described in the Debian GNU/Linux Installation Guide, Appendix D, this article was made for those that need a step-by-step example of how to install on AES-XTS encrypted LVM. This article is not based entirely on the Installation Guide, and even if the procedure described here has been tested many times, it shouldn't be considered flawless nor the ultimate solution. This article also exists because, at the time of writing, the Debian Installer does not yet offer an option to install on a AES-XTS encrypted LVM. This procedure might be a time consuming one, for what is worth, and is not intended to be used for installing on a remote system. Before starting to follow this procedure, you should backup your data.

Create a Squeeze USB installer

If you don't want to use the next commands to make a Squeeze USB installer, you can install Squeeze using any other preferred method.

# mkdir ~/debinst 
# cd ~/debinst
# wget http://people.debian.org/~joeyh/d-i/images/daily/hd-media/boot.img.gz
# wget http://people.debian.org/~joeyh/d-i/images/daily/MD5SUMS
# cat MD5SUMS | grep boot.img.gz
# md5sum boot.img.gz
# wget http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/debian-testing-i386-netinst.iso
# wget http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/MD5SUMS.small
# cat MD5SUMS.small | grep debian-testing-i386-netinst.iso
# md5sum debian-testing-i386-netinst.iso
# zcat boot.img.gz > /dev/sda
# mkdir /mnt/debinst
# mount /dev/sda /mnt/debinst
# cp debian-testing-i386-netinst.iso /mnt/debinst
# umount /mnt/debinst
# rm -rf /mnt/debinst
# cd ~
# rm -rf debinst

How to use the installer has been explained in many in other documents.

Create a base Debian GNU/Linux system

Create a base Debian GNU/Linux system on a USB drive. This will be used to setup the encrypted LVM and to backup some files from the Squeeze install.

# dpkg --get-selections > selections.list
# dd if=/dev/zero of=/dev/sda
# cfdisk /dev/sda
# mkfs.ext4 /dev/sda1
# mkdir /mnt/debian
# mount /dev/sda1 /mnt/debian
# aptitude update
# aptitude install debootstrap
# debootstrap squeeze /mnt/debian http://ftp.us.debian.org/debian
# mkdir /mnt/debian/root/files
# cp /etc/fstab /mnt/debian/root/files
# cp /etc/hosts /mnt/debian/root/files
# cp /etc/network/interfaces /mnt/debian/root/files
# cp selections.list /mnt/debian/root/files
# LANG=C chroot /mnt/debian

Inside the chroot run these commands:

# dpkg-reconfigure tzdata
# mount proc /proc -t proc
# mount sysfs /sys -t sysfs
# mount devpts /dev/pts -t devpts
# cp ~/files/fstab /etc
# nano /etc/fstab

The file should contain something like:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda1 / ext4 defaults,errors=remount-ro 0 1

Press Ctl+X to exit the editor.

# cp ~/files/hosts /etc
# cp ~/files/interfaces /etc/network
# aptitude update
# aptitude install linux-image-686
# umount /dev/pts

Press Ctrl+D to exit from the chroot.

# mount --bind /dev /mnt/debian/dev
# LANG=C chroot /mnt/debian

Inside the chroot enter these commands:

# mount devpts /dev/pts -t devpts
# aptitude install grub-pc
# passwd
# umount /dev/pts
# umount /sys
# umount /proc

Press Ctrl+D to exit from the chroot.

# umount /mnt/debian/dev
# umount /mnt/debian
# reboot

Boot from the USB and login as root using the password you have setup earlier.

Install on AES-XTS encrypted LVM

If you want to wipe all the data on the hard drive, you can use the next command, but this is not mandatory. This is a time consuming process.

# dd if=/dev/urandom of=/dev/hda

Before seting up the AES-XTS encrypted LVM, we must make sure that the update-initramfs command will work later.
To test if is working or not, run:

# update-initramfs -k all -u -v

If it is working, then you can proceed to the next commands. If it will freeze, you have to reset the system, eg. press the reset button. I have no explanation for this behavior nor for this pseudo-solution. I am sorry, but it is beyond my knowledge. If you must reboot, then run this command again. Do the same thing if it will freeze again. Odds are that if you did reboot and it worked, then it won't freeze again until you reboot, but if it will freeze again when running the command later, after the encrypted LVM was setup, the reset is the only solution i have found so far. Hopefully it won't freeze.

# cfdisk /dev/hda
# aptitude update
# aptitude install cryptsetup lvm2
# cryptsetup -c aes-xts-plain -s 512 -y luksFormat /dev/hda6
# cryptsetup luksOpen /dev/hda6 debian_pv
# pvcreate /dev/mapper/debian_pv
# vgcreate debian_vg /dev/mapper/debian_pv
# lvcreate -L 10G -n root_lv debian_vg
# lvcreate -L 1G -n swap_lv debian_vg
# lvcreate -l 100%FREE -n home_lv debian_vg
# mkfs.ext4 /dev/hda5
# mkfs.ext4 /dev/mapper/debian_vg-root_lv
# mkswap -f /dev/mapper/debian_vg-swap_lv
# mkfs.ext4 /dev/mapper/debian_vg-home_lv
# mkdir /mnt/debian
# mount /dev/mapper/debian_vg-root_lv /mnt/debian
# mkdir /mnt/debian/boot
# mount /dev/hda5 /mnt/debian/boot
# aptitude install debootstrap
# debootstrap squeeze /mnt/debian http://ftp.us.debian.org/debian
# mkdir /mnt/debian/root/files
# cp ~/files/* /mnt/debian/root/files
# LANG=C chroot /mnt/debian

Inside the chroot run these commands:

# dpkg-reconfigure tzdata
# mount proc /proc -t proc
# mount sysfs /sys -t sysfs
# mount devpts /dev/pts -t devpts
# cp ~/files/fstab /etc
# nano /etc/fstab

The file should contain something like:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda1 /boot ext4 defaults 0 2
/dev/mapper/debian_vg-root_lv / ext4 defaults,errors=remount-ro 0 1
/dev/mapper/debian_vg-swap_lv none swap sw 0 0
/dev/mapper/debian_vg-home_lv / ext4 defaults 0 1

Press Ctl+X to exit the editor.

# cp ~/files/hosts /etc
# cp ~/files/interfaces /etc/network
# aptitude update
# aptitude install linux-image-686
# aptitude install cryptsetup lvm2
# nano /etc/crypttab

The file should contain something like:

# <target name> <source device> <key file> <options>
debian_pv /dev/hda6 none luks,retry=1

Press Ctl+X to exit the editor.

# nano /etc/initramfs-tools/modules

The file should contain something like:

# List of modules that you want to include in your initramfs.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
xts
aes_i586

Press Ctl+X to exit the editor.

# update-initramfs -k all -u -v
# umount /dev/pts

Press Ctrl+D to exit from the chroot.

# mount --bind /dev /mnt/debian/dev
# LANG=C chroot /mnt/debian

Inside the chroot enter these commands:

# mount devpts /dev/pts -t devpts
# aptitude install grub-pc
# passwd
# umount /dev/pts
# umount /sys
# umount /proc

Press Ctrl+D to exit from the chroot.

# umount /mnt/debian/dev
# umount /mnt/debian
# reboot

Boot from the hard drive.

Install anything else needed

You can use the next 2 commands to clone the packages installed by the Squeeze installer.

# dpkg --set-selections < ~/files/selections.list
# apt-get dselect-upgrade

You should also add a normal user using the adduser command. Please consider running as normal user most of the time and only su to root if you must.
You should now reboot once more, but this is not mandatory.

Remember that the encryption is only a measure of protection and it is just a part of the process that it is called security.
Please consider taking other measures to harden your Debian GNU/Linux system. This have been covered in other documents.

Enjoy AES-XTS encryption and hope that if any vulnerabilities are to be found in the future you will not be the first one affected and that you will have time to find a solution before your data get's compromised.