Installing Debian with encrypted boot using GRML


Installing Debian with encrypted boot using GRML

A couple of days ago an interesting step-by-step guide on how to install Debian with full disk encryption, including /boot, using debian-installer was posted on the debian-boot mailinglist. This reminded me of the steps I used and wrote down a couple of month ago to create a similar setup. These steps describe a full disk (including /boot) encrypted setup on a non coreboot enabled system using the great grml live distro. (And just to be sure I just redid the same setup on a test device with the newest grml release Gnackwatschn):

The first step was to set up the network using grml-network after which I started by preparing the disk. I wiped the disks old partition table using sgdisk(8) and then created a 512MB EFI System partition and used the rest of the disk for a Linux partition:

sgdisk --zap-all /dev/sda
sgdisk -n1:1M:+512M -t1:EF00 /dev/sda
sgdisk -n2:0:0 -t2:8300 /dev/sda

Then I initialized the LUKS partition, set a passphrase and opened the LUKS device:

cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 sda2_crypt

The LUKS device is then used to create a LVM volume group which in this example is called vg-2560p. In that volume group I created a logical volume for the /root filesystem:

pvcreate /dev/ampper/sda2_crypt
vgcreate vg-2560p /dev/mapper/sda2_crypt
lvcreate -L 120G vg-2560p -n root

The next step was to create an ext4 filesystem on the /root volume and a msdos filesystem with a 32bit file allocation table and the label EFI on the EFI System partition:

mkfs.ext4 /dev/vg-2560p/root
mkdosfs -F 32 -n EFI /dev/sda1

I then mounted the root partition, debootstrapped buster onto the partition, mounted the EFI partition and remounted /dev, /proc, /sys and /run into the new system:

mount /dev/vg-2560p/root /mnt
debootstrap buster /mnt http://deb.debian.org/debian
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
mount --rbind /dev /mnt/dev/
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --rbind /run /mnt/run

After that I used chroot(8) to change into the buster installation and do some initial configuration. I first told apt(8) not to install recommended packages and then installed a kernel, grub, cryptsetup, lvm2 and sudo:

chroot /mnt /bin/bash
echo "Apt::Install-Recommends 0;" >> /etc/apt/apt.conf.d/local-recommends
apt install linux-image-amd64 cryptsetup lvm2 grub-efi-amd64 sudo

On the new system, the /etc/fstab file is empty and so I added the filesystems and I also added information about the encrypted disk to the /etc/crypttab file:

echo PARTUUID=$(blkid -s PARTUUID -o value /dev/sda1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab
echo UUID=$(blkid -s UUID -o value /dev/mapper/vg--2560p-root) / ext4 defaults 0 1 >> /etc/fstab
echo sda2_crypt PARTUUID=$(blkid -s PARTUUID -o value /dev/sda2) none luks,discard,initramfs >> /etc/crypttab

I also had to tell grub to enable device decryption:

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
update-initramfs -c -k all
update-grub
grub-install --target=x86_64-efi

The final step, which I forget nearly every time when i install a system using debootstrap(8), was to ad a user account:

adduser bisco
adduser bisco sudo

PS: On the laptop I installed a couple of month ago, I had to set the path to the EFI Grub file (\EFI\debian\grubx64.efi) in bios. On the laptop i used to reproduce the above steps, i didn’t find that setting in bios (its from 2011, maybe a bios update would have helped), but I was able to choose the file during boot.