Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [Created by zifxify aka krabs]
- System Specs: Dell E5550
- SSD Samsung PM871 (256GB)
- sda 8:0 0 238.5G 0 disk
- ├─sda1 8:1 0 1M 0 part
- └─sda2 8:2 0 219.7G 0 part
- └─lvm 254:0 0 219.7G 0 crypt
- ├─vg0-swap 254:1 0 8G 0 lvm [SWAP]
- ├─vg0-qemu 254:2 0 60G 0 lvm --> will be used for KVM machines.
- ├─vg0-root 254:3 0 45G 0 lvm /
- ├─vg0-home 254:4 0 60G 0 lvm /home
- └─vg0-var 254:5 0 20G 0 lvm /var
- This howto requires that you install the system in MBR/GPT (Protective MBR), if you have a recent system, be sure to switch to legacy booting.
- I don't like UEFI at all, beside of that the underlying uefi oem firmware implemention is also on lot of systems vulnerable (google ThnkPwn)
- We will still be using GPT partitioning as GRUB does support writing stage 1.5 loaders to a unformatted partition with a bios_grub flag.
- This howto covers the basis installation of an fully encrypted Debian system (LVM on Luks, incl /boot).
- Only a pure Debian base system will be created (originally for laptop use (edit debootstrap packages for workstation installation) ) so it's up to you to install,configure additional software packages.
- Originally /usr was also on a separate lv (so we can mount it readonly and remount only when installing upgrading the system) but I had problems creating the initramfs to successfully mount it so /usr wasn't mounted in early userspace.
- Still the system will boot but it's not the recommended way: https://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken/
- I also have leaved some free space in the vg circa (25GB).
- Download the current Debian Standard ISO -> (iso-hybrid version)
- ----------------------------------------
- Login shell
- # login:user pass:live
- Get dhcp ip (if not connected)
- # sudo dhclient eth0 -v
- Update live system
- # sudo apt-get update && sudo apt-get upgrade
- Configure keyboard
- # sudo apt-get install console-data (I'm using azerty as def)
- # sudo dpkg-reconfigure keyboard-configuration
- Configure time and location
- # sudo dpkg-reconfigure tzdata (I like to work in an environment with the correct time :) )
- PREPARING DISK
- --------------
- install gdisk
- # sudo apt-get install gdisk
- # sudo gdisk /dev/sdx (lsblk (list disks))
- Create a GPT partition table
- # enter o
- Create a bios GRUB partition
- # enter n enter enter +1MiB ef02
- Create a luks,LVM partition (leaving 19242 MB unpartioned)
- # enter n enter enter -19242MB 8e00 (7% extra overprovisioning, I will not enable trim and trust the SSD firmware that it will do it's job, if you have an old SSD you likely will enable trimming at the cost of eventually leaking unused,free space )
- Write changes to disk
- # enter w
- Set the boot flag on the protective MBR partition (type 0xEE) -> this is not always needed an Packard Bell EasyNoteTK81 just worked fine, but some systems require it, so set the flag just in case.
- # sudo apt-get install parted
- # sudo parted /dev/sda disk_toggle pmbr_boot
- Install haveged for more entropy, cryptsetup, lvm2
- # sudo apt-get install haveged cryptsetup lvm2
- Create the LUKS encrypted container at the "system" partition. (choose a password in your keyboard layout with is the same in us layout as this is the only one available at boot decrypt, see GRUB man)
- # sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
- Open the container
- # sudo cryptsetup luksOpen /dev/sda2 lvm
- PREPARING LOGICAL VOLUMES
- -------------------------
- Create a physical volume on top of the opened LUKS container
- # sudo pvcreate /dev/mapper/lvm
- Create the volume group named vg0, adding the previously created physical volume to it
- # sudo vgcreate vg0 /dev/mapper/lvm
- Create all your logical volumes on the volume group (usr 30GiB Deleted due to custom initramfs pre-mount (to much hassle to create one atm))
- # sudo lvcreate -L 8GiB -n swap vg0
- # sudo lvcreate -L 60GiB -n qemu vg0 --> Used only for KVM if not needed no reason to create one
- # sudo lvcreate -L 45GiB -n root vg0
- # sudo lvcreate -L 60GiB -n home vg0
- # sudo lvcreate -L 20GiB -n var vg0
- (# sudo lvcreate -l 100%FREE -n debian vg0)
- Create filesystems, swapspace & mount them in /target. (human readable labels)
- # sudo su
- # for i in root home var; do
- mkfs.ext4 -L $i /dev/mapper/vg0-$i; done
- # exit
- # sudo mkswap -L swap /dev/mapper/vg0-swap
- Mount lv volumes
- # sudo mkdir /target
- # sudo mount -o noatime,rw,suid,dev,exec,auto,nouser,async,errors=remount-ro /dev/mapper/vg0-root /target
- # sudo mkdir /target/home
- # sudo mkdir /target/var
- # sudo mount -o relatime,rw,nosuid,nodev,exec,auto,nouser,async /dev/mapper/vg0-home /target/home
- # sudo mount -o nodiratime,rw,nosuid,dev,exec,auto,nouser,async /dev/mapper/vg0-var /target/var
- Check gpg keyring
- #sudo gpg /usr/share/keyrings/debian-archive-keyring.gpg
- Install debian (debootstrap)
- # sudo apt-get install debootstrap
- # sudo debootstrap --arch amd64 --variant=minbase --include=systemd,systemd-sysv,dbus,busybox,initramfs-tools,makedev,cryptsetup,lvm2,linux-image-amd64,kbd,console-setup,console-data,pciutils,lshw,dialog,locales,mc,netbase,ethtool,ifplugd,ifupdown,kmod,iproute,iputils-ping,apt-utils,wget,net-tools,isc-dhcp-client,isc-dhcp-common,vim,haveged,gdisk,wireless-tools,acpi-support,cpufrequtils,acpi,wpasupplicant,powertop,acpid,apmd,anacron stretch /target http://ftp.be.debian.org/debian
- Chroot into the new system using systemd-nspawn set password and boot container. (We will install Grub this way, and update the initramfs in normal chroot later)
- (The reason I update grub this way is that it actually will not complain about systemctl services (lvmetad as an example) which can not be started from a normal chroot.
- First set a root password before we actually boot the container.
- # systemd-nspawn -D /target
- # passwd root
- # exit 0
- # systemd-nspawn -b -D /target
- Make the /dev/mapper blockdevices and partitions visible in our debian container
- # dmsetup mknodes
- # mknod /dev/sda b 8 0
- # mknod /dev/sda1 b 8 1
- # mknod /dev/sda2 b 8 2
- Get the UUID for the luks container
- # blkid /dev/sda2 -> UUID=c29155ab-01d8-47ef-9be2-f40e26df1978
- Create crypttab parameters
- # echo 'lvm UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,discard' >> /etc/crypttab
- # apt-get update && apt-get upgrade
- Create the filesystem table in /etc/fstab (do not use labels, /dev/mapper/, UUID does work correctly)
- # <fs> <mountpoint> <type> <opts> <dump/pass>
- #tmpfs /tmp tmpfs relatime,rw,nosuid,nodev,noexec,auto,nouser,async 0 0
- #shm /dev/shm tmpfs relatime,rw,nosuid,nodev,noexec,auto,nouser,async 0 0
- /dev/mapper/vg0-root / ext4 noatime,rw,suid,dev,exec,auto,nouser,async,errors=remount-ro 0 1
- /dev/mapper/vg0-home /home ext4 relatime,rw,nosuid,nodev,exec,auto,nouser,async 0 2
- /dev/mapper/vg0-var /var ext4 nodiratime,rw,nosuid,dev,exec,auto,nouser,async 0 2
- /dev/mapper/vg0-swap none swap sw 0 0
- Some tools depend on /etc/mtab, which now is just a symbolic link
- # ln -sf /proc/self/mounts /etc/mtab
- Add a (new) hostname to the new system
- # echo yourhostname > /etc/hostname
- # hostname yourhostname
- Edit and add following line in /etc/hosts
- # 127.0.0.1 localhost.localdomain localhost
- # 127.0.1.1 yourhostname
- Set up your time zone:
- # dpkg-reconfigure tzdata
- # Update sources.list
- deb http://ftp.be.debian.org/debian stretch main contrib non-free
- deb-src http://ftp.be.debian.org/debian stretch main contrib non-free
- deb http://ftp.be.debian.org/debian stretch-updates main contrib non-free
- deb-src http://ftp.be.debian.org/debian stretch-updates main contrib non-free
- deb http://security.debian.org/ stretch/updates main contrib non-free
- deb-src http://security.debian.org/ stretch/updates main contrib non-free
- # apt-get install grub-pc
- Configure locales
- # dpkg-reconfigure locales
- configure console data & keyboard
- # dpkg-reconfigure console-data
- # dpkg-reconfigure keyboard-configuration
- We only want our volume group vg to be activated by default, so add the following in the activation section of /etc/lvm/lvm.conf
- # vim /etc/lvm/lvm.conf
- # volume_list = [ "vg0" ]
- Configure GRUB
- # Add: GRUB_ENABLE_CRYPTODISK=y
- # Edit TO: GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:lvm root=/dev/mapper/vg0-root crypto=sha512:aes-xts-plain64:512:0:"
- To /etc/default/grub
- # grub-mkconfig -o /boot/grub/grub.cfg
- # grub-install --target=i386-pc --recheck /dev/sda
- Let fsck fix problems automatically
- Change FSCKFIX to yes
- # vi /etc/default/rcS
- Get some very useful packages
- # apt-get install less ntpdate sudo
- Create an user for yourself, possibly make it an administrator
- # useradd -c "" -d /home/username -m -s /bin/bash username
- # passwd zifxify
- # usermod -aG sudo username
- # usermod -aG adm username
- Disable root
- # passwd -dl root
- Logout the container
- # systemctl halt
- Chroot into system
- # mount -o bind /dev /target/dev
- # XTERM=xterm-color LANG=C.UTF-8 chroot /target /bin/bash
- # mount -t proc proc /proc
- # mount -t sysfs sys /sys
- # mount -t devpts devpts /dev/pts
- <OPTIONAL
- # vi /etc/initramfs-tools/initramfs.conf
- Edit the file /etc/initramfs-tools/modules and add the modesetting for your graphics card:
- KMS (Intel HD5500)
- i915 modeset=1
- # apt-get install firmware-misc-nonfree
- OPTIONAL>
- Run update-initramfs
- # update-initramfs -u -k -all
- We want to double check that it has all the important pieces for a successful boot (etc/lvm/lvm.conf, conf/conf.d/cryptroot)
- All these files need to be there. Most critically, we need to check that the cryptroot file has the right information to access the root file system
- # lsinitramfs /boot/initrd.img-* | grep lvm
- # lsinitramfs /boot/initrd.img-* | grep conf
- # lsinitramfs /boot/initrd.img-* | grep sha512, etc...
- done, exit the chroot, and unmount everything
- # sync
- # exit
- # umount /target/proc
- # umount /target/sys
- # umount /target/dev/pts
- # umount -l /target/dev
- # umount /target/home
- # umount /target/var
- # umount /target
- # vgchange -a n vg0
- # dmsetup ls
- (# dmestup remove vg0-qemu)
- (# dmsetup remove vg0-root)
- (# dmestup remove vg0-home)
- (# dmestup remove vg0-usr)
- (# dmestup remove vg0-var)
- (# swapoff /dev/mapper/vg0-swap)
- (# dmestup remove vg0-swap)
- # sudo cryptsetup luksClose lvm
- # reboot
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement