base-system-debootstrap

1. [Created by zifxify aka krabs]
2.  
3. System Specs: Dell E5550
4. SSD Samsung PM871 (256GB)
5.  
6. sda 8:0 0 238.5G 0 disk
7. ├─sda1 8:1 0 1M 0 part
8. └─sda2 8:2 0 219.7G 0 part
9. └─lvm 254:0 0 219.7G 0 crypt
10. ├─vg0-swap 254:1 0 8G 0 lvm [SWAP]
11. ├─vg0-qemu 254:2 0 60G 0 lvm --> will be used for KVM machines.
12. ├─vg0-root 254:3 0 45G 0 lvm /
13. ├─vg0-home 254:4 0 60G 0 lvm /home
14. └─vg0-var 254:5 0 20G 0 lvm /var
15.  
16. This howto requires that you install the system in MBR/GPT (Protective MBR), if you have a recent system, be sure to switch to legacy booting.
17. I don't like UEFI at all, beside of that the underlying uefi oem firmware implemention is also on lot of systems vulnerable (google ThnkPwn)
18. We will still be using GPT partitioning as GRUB does support writing stage 1.5 loaders to a unformatted partition with a bios_grub flag.
19.  
20. This howto covers the basis installation of an fully encrypted Debian system (LVM on Luks, incl /boot).
21. Only a pure Debian base system will be created (originally for laptop use (edit debootstrap packages for workstation installation) ) so it's up to you to install,configure additional software packages.
22. Originally /usr was also on a separate lv (so we can mount it readonly and remount only when installing upgrading the system) but I had problems creating the initramfs to successfully mount it so /usr wasn't mounted in early userspace.
23. Still the system will boot but it's not the recommended way: https://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken/
24. I also have leaved some free space in the vg circa (25GB).
25.  
26.  
27. Download the current Debian Standard ISO -> (iso-hybrid version)
28. ----------------------------------------
29.  
30. Login shell
31.  
32. # login:user pass:live
33.  
34. Get dhcp ip (if not connected)
35.  
36. # sudo dhclient eth0 -v
37.  
38. Update live system
39.  
40. # sudo apt-get update && sudo apt-get upgrade
41.  
42. Configure keyboard
43.  
44. # sudo apt-get install console-data (I'm using azerty as def)
45. # sudo dpkg-reconfigure keyboard-configuration
46.  
47. Configure time and location
48.  
49. # sudo dpkg-reconfigure tzdata (I like to work in an environment with the correct time :) )
50.  
51.  
52. PREPARING DISK
53. --------------
54.  
55. install gdisk
56.  
57. # sudo apt-get install gdisk
58. # sudo gdisk /dev/sdx (lsblk (list disks))
59.  
60. Create a GPT partition table
61.  
62. # enter o
63.  
64. Create a bios GRUB partition
65.  
66. # enter n enter enter +1MiB ef02
67.  
68. Create a luks,LVM partition (leaving 19242 MB unpartioned)
69.  
70. # enter n enter enter -19242MB 8e00 (7% extra overprovisioning, I will not enable trim and trust the SSD firmware that it will do it's job, if you have an old SSD you likely will enable trimming at the cost of eventually leaking unused,free space )
71.  
72. Write changes to disk
73.  
74. # enter w
75.  
76. Set the boot flag on the protective MBR partition (type 0xEE) -> this is not always needed an Packard Bell EasyNoteTK81 just worked fine, but some systems require it, so set the flag just in case.
77.  
78. # sudo apt-get install parted
79. # sudo parted /dev/sda disk_toggle pmbr_boot
80.  
81. Install haveged for more entropy, cryptsetup, lvm2
82.  
83. # sudo apt-get install haveged cryptsetup lvm2
84.  
85. Create the LUKS encrypted container at the "system" partition. (choose a password in your keyboard layout with is the same in us layout as this is the only one available at boot decrypt, see GRUB man)
86.  
87. # sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
88.  
89. Open the container
90.  
91. # sudo cryptsetup luksOpen /dev/sda2 lvm
92.  
93.  
94. PREPARING LOGICAL VOLUMES
95. -------------------------
96.  
97. Create a physical volume on top of the opened LUKS container
98.  
99. # sudo pvcreate /dev/mapper/lvm
100.  
101. Create the volume group named vg0, adding the previously created physical volume to it
102.  
103. # sudo vgcreate vg0 /dev/mapper/lvm
104.  
105. Create all your logical volumes on the volume group (usr 30GiB Deleted due to custom initramfs pre-mount (to much hassle to create one atm))
106.  
107. # sudo lvcreate -L 8GiB -n swap vg0
108. # sudo lvcreate -L 60GiB -n qemu vg0 --> Used only for KVM if not needed no reason to create one
109. # sudo lvcreate -L 45GiB -n root vg0
110. # sudo lvcreate -L 60GiB -n home vg0
111. # sudo lvcreate -L 20GiB -n var vg0
112.  
113. (# sudo lvcreate -l 100%FREE -n debian vg0)
114.  
115. Create filesystems, swapspace & mount them in /target. (human readable labels)
116.  
117. # sudo su
118. # for i in root home var; do
119. mkfs.ext4 -L $i /dev/mapper/vg0-$i; done
120. # exit
121.  
122. # sudo mkswap -L swap /dev/mapper/vg0-swap
123.  
124. Mount lv volumes
125.  
126. # sudo mkdir /target
127. # sudo mount -o noatime,rw,suid,dev,exec,auto,nouser,async,errors=remount-ro /dev/mapper/vg0-root /target
128. # sudo mkdir /target/home
129. # sudo mkdir /target/var
130.  
131. # sudo mount -o relatime,rw,nosuid,nodev,exec,auto,nouser,async /dev/mapper/vg0-home /target/home
132. # sudo mount -o nodiratime,rw,nosuid,dev,exec,auto,nouser,async /dev/mapper/vg0-var /target/var
133.  
134.  
135. Check gpg keyring
136.  
137. #sudo gpg /usr/share/keyrings/debian-archive-keyring.gpg
138.  
139. Install debian (debootstrap)
140.  
141. # sudo apt-get install debootstrap
142. # sudo debootstrap --arch amd64 --variant=minbase --include=systemd,systemd-sysv,dbus,busybox,initramfs-tools,makedev,cryptsetup,lvm2,linux-image-amd64,kbd,console-setup,console-data,pciutils,lshw,dialog,locales,mc,netbase,ethtool,ifplugd,ifupdown,kmod,iproute,iputils-ping,apt-utils,wget,net-tools,isc-dhcp-client,isc-dhcp-common,vim,haveged,gdisk,wireless-tools,acpi-support,cpufrequtils,acpi,wpasupplicant,powertop,acpid,apmd,anacron stretch /target http://ftp.be.debian.org/debian
143.  
144.  
145. Chroot into the new system using systemd-nspawn set password and boot container. (We will install Grub this way, and update the initramfs in normal chroot later)
146. (The reason I update grub this way is that it actually will not complain about systemctl services (lvmetad as an example) which can not be started from a normal chroot.
147.  
148. First set a root password before we actually boot the container.
149.  
150. # systemd-nspawn -D /target
151. # passwd root
152. # exit 0
153. # systemd-nspawn -b -D /target
154.  
155. Make the /dev/mapper blockdevices and partitions visible in our debian container
156.  
157. # dmsetup mknodes
158. # mknod /dev/sda b 8 0
159. # mknod /dev/sda1 b 8 1
160. # mknod /dev/sda2 b 8 2
161.  
162.  
163. Get the UUID for the luks container
164.  
165. # blkid /dev/sda2 -> UUID=c29155ab-01d8-47ef-9be2-f40e26df1978
166.  
167. Create crypttab parameters
168.  
169. # echo 'lvm UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,discard' >> /etc/crypttab
170.  
171. # apt-get update && apt-get upgrade
172.  
173. Create the filesystem table in /etc/fstab (do not use labels, /dev/mapper/, UUID does work correctly)
174.  
175. # <fs> <mountpoint> <type> <opts> <dump/pass>
176.  
177. #tmpfs /tmp tmpfs relatime,rw,nosuid,nodev,noexec,auto,nouser,async 0 0
178. #shm /dev/shm tmpfs relatime,rw,nosuid,nodev,noexec,auto,nouser,async 0 0
179.  
180. /dev/mapper/vg0-root / ext4 noatime,rw,suid,dev,exec,auto,nouser,async,errors=remount-ro 0 1
181. /dev/mapper/vg0-home /home ext4 relatime,rw,nosuid,nodev,exec,auto,nouser,async 0 2
182. /dev/mapper/vg0-var /var ext4 nodiratime,rw,nosuid,dev,exec,auto,nouser,async 0 2
183. /dev/mapper/vg0-swap none swap sw 0 0
184.  
185. Some tools depend on /etc/mtab, which now is just a symbolic link
186.  
187. # ln -sf /proc/self/mounts /etc/mtab
188.  
189. Add a (new) hostname to the new system
190.  
191. # echo yourhostname > /etc/hostname
192. # hostname yourhostname
193.  
194. Edit and add following line in /etc/hosts
195.  
196. # 127.0.0.1 localhost.localdomain localhost
197. # 127.0.1.1 yourhostname
198.  
199. Set up your time zone:
200.  
201. # dpkg-reconfigure tzdata
202.  
203. # Update sources.list
204.  
205. deb http://ftp.be.debian.org/debian stretch main contrib non-free
206. deb-src http://ftp.be.debian.org/debian stretch main contrib non-free
207.  
208. deb http://ftp.be.debian.org/debian stretch-updates main contrib non-free
209. deb-src http://ftp.be.debian.org/debian stretch-updates main contrib non-free
210.  
211. deb http://security.debian.org/ stretch/updates main contrib non-free
212. deb-src http://security.debian.org/ stretch/updates main contrib non-free
213.  
214. # apt-get install grub-pc
215.  
216. Configure locales
217.  
218. # dpkg-reconfigure locales
219.  
220. configure console data & keyboard
221.  
222. # dpkg-reconfigure console-data
223. # dpkg-reconfigure keyboard-configuration
224.  
225. We only want our volume group vg to be activated by default, so add the following in the activation section of /etc/lvm/lvm.conf
226.  
227. # vim /etc/lvm/lvm.conf
228. # volume_list = [ "vg0" ]
229.  
230. Configure GRUB
231.  
232. # Add: GRUB_ENABLE_CRYPTODISK=y
233. # Edit TO: GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:lvm root=/dev/mapper/vg0-root crypto=sha512:aes-xts-plain64:512:0:"
234.  
235. To /etc/default/grub
236.  
237. # grub-mkconfig -o /boot/grub/grub.cfg
238. # grub-install --target=i386-pc --recheck /dev/sda
239.  
240. Let fsck fix problems automatically
241. Change FSCKFIX to yes
242.  
243. # vi /etc/default/rcS
244.  
245. Get some very useful packages
246.  
247. # apt-get install less ntpdate sudo
248.  
249. Create an user for yourself, possibly make it an administrator
250.  
251. # useradd -c "" -d /home/username -m -s /bin/bash username
252. # passwd zifxify
253. # usermod -aG sudo username
254. # usermod -aG adm username
255.  
256. Disable root
257.  
258. # passwd -dl root
259.  
260. Logout the container
261.  
262. # systemctl halt
263.  
264. Chroot into system
265.  
266. # mount -o bind /dev /target/dev
267. # XTERM=xterm-color LANG=C.UTF-8 chroot /target /bin/bash
268. # mount -t proc proc /proc
269. # mount -t sysfs sys /sys
270. # mount -t devpts devpts /dev/pts
271.  
272. <OPTIONAL
273.  
274. # vi /etc/initramfs-tools/initramfs.conf
275.  
276. Edit the file /etc/initramfs-tools/modules and add the modesetting for your graphics card:
277.  
278. KMS (Intel HD5500)
279.  
280. i915 modeset=1
281.  
282. # apt-get install firmware-misc-nonfree
283.  
284. OPTIONAL>
285.  
286. Run update-initramfs
287.  
288. # update-initramfs -u -k -all
289.  
290. We want to double check that it has all the important pieces for a successful boot (etc/lvm/lvm.conf, conf/conf.d/cryptroot)
291. All these files need to be there. Most critically, we need to check that the cryptroot file has the right information to access the root file system
292.  
293. # lsinitramfs /boot/initrd.img-* | grep lvm
294. # lsinitramfs /boot/initrd.img-* | grep conf
295. # lsinitramfs /boot/initrd.img-* | grep sha512, etc...
296.  
297. done, exit the chroot, and unmount everything
298.  
299. # sync
300. # exit
301. # umount /target/proc
302. # umount /target/sys
303. # umount /target/dev/pts
304. # umount -l /target/dev
305.  
306. # umount /target/home
307. # umount /target/var
308. # umount /target
309.  
310. # vgchange -a n vg0
311. # dmsetup ls
312.  
313. (# dmestup remove vg0-qemu)
314. (# dmsetup remove vg0-root)
315. (# dmestup remove vg0-home)
316. (# dmestup remove vg0-usr)
317. (# dmestup remove vg0-var)
318.  
319. (# swapoff /dev/mapper/vg0-swap)
320. (# dmestup remove vg0-swap)
321.  
322. # sudo cryptsetup luksClose lvm
323.  
324. # reboot