In an increasingly interconnected world, data security is paramount. Whether you're a seasoned Linux user or just embarking on your journey with Debian, one of the most crucial steps you can take to protect your data is to enable disk encryption during the installation process.
Our motto here at Zack's is to give credit where credit is due. This time, we must credit Tj for writing a great how-to article on full disk encryption on Ubuntu Linux. This guide is a "rewrite" of Tj's guide, but it is suited for Debian minimal installations.
We will walk you through the steps to enable disk encryption during the Debian Linux minimal installation, and we'll cover everything you need to know to keep your data safe from unauthorized access. While disk encryption can be set on any computer, it is more common on notebooks. Hypothetically, suppose someone steals your notebook with disc encryption in place. In that case, they will not be able to access the data on your disk nor boot the operating system without knowing the passphrase to unlock the disk.
By the end of this tutorial, you'll have a fully functioning Debian Linux minimal system and the peace of mind that comes with knowing your data is secure. Let's dive in and ensure your Debian installation is fortified with the power of disk encryption.
Prerequisites
We will not go through a complete Debian Linux minimal installation as we already have an article that covers that topic, and you can find it on the link below this text:
You can follow that guide until the Disk Partitioning step, where we will start with the disk encryption configuration.
Before you start, make sure your computer or virtual machine is configured to start in UEFI mode. You can set that up in your computer's BIOS or in virtual machine settings. If you plan to install Debian either on a real computer or a virtual machine and you use Debian ISO image, once you boot from it, please select Advanced options from the installer menu, followed by Expert install. This way, you will ensure all installation options are available.
Disk Encryption Setup
Once you choose the language and locales and configure your keyboard, you will be presented with a menu option to Load installer components from installation media. Once there, please select (with the Space key on your keyboard) the following two options:
crypto-dm-modules
parted-udeb
Once selected, you can keep configuring all other options from the menu until you come to the Partition disks option. This is where you will start configuring the disk encryption.
Disk Partitioning - Stage 01
Once you configure everything and you've come to the Partition disks option in the Debian installer menu, please stop here:
Please do not press Enter once you hit the Partition disks option. Instead, scroll down to Execute a shell option and press Enter there to continue:
Once you confirm you want to execute the shell, the installer will drop to that shell. Here, you need to first install two additional packages required for disk encryption setup. Execute the following to install those packages:
With packages installed, you can start with disk partitioning. Presuming you have only one disk, you will either have /dev/sda in case you have a mechanical disk (HDD) or solid-state drive (SSD), possibly a /dev/vda if you use a virtual machine or /dev/nvme0n1 if you have an NVME drive. You can check it out by executing the lsblk command (look for either sda, vda, or nvme0n1):
lsblk
Once you determine your disk type, you can execute parted to partition your disks. I will use /dev/sda as an example, but you should use the device from the lsblk output above:
parted /dev/sda
Here, you need to create your partitions. For UEFI systems, GUID Partition Table (GPT) is mandatory, so set that first:
mklabel gpt
For the partitions, you can create a "satisfy-all" basic set. Usually, I set the following partitions:
Boot partition - size 1GB
GRUB partition - size 2MB
EFI System partition - size 128 MB
Root FS partition - rest of the space on the disk
You do not want to be in a situation where you're doing a distribution upgrade, and then it breaks because there is not enough room on your boot partition. Also, kernel sizes are getting bigger and bigger, so better safe than sorry.
To create the required partitions from above, please execute the following:
With partitions created, you can exit the parted by typing quit:
quit
To confirm all partitions are in place, you can execute blkid and you will get a result similar (if not identical) to the one on the image below:
LUKS Encrypt
We will use the LUKS (Linux Unified Key Setup) encryption for full disk encryption... well, almost full. We will encrypt boot and rootfs partitions, which will not only encrypt all of the data on the disk but will also render the computer not being able to boot the operating system without knowing the passphrase to unlock the disk.
For the boot partition, you need to explicitly define LUKS version 1 type when enabling encryption because otherwise, the GRUB boot loader will not be able to install to or unlock the encrypted device. To do so, while still in the shell, execute the following:
cryptsetup luksFormat --type=luks1 /dev/sda1
Once asked, type YES (in capital letters) to confirm the operations, and then type in a solid password, which will be used to unlock the boot partition. Now you will do the same for the rootfs partition. The only exception is you will use the default LUKS version 2. To do so, please execute the following:
cryptsetup luksFormat /dev/sda4
Again, confirm the operation by typing YES and use the same password you used for the boot partition. Now, you need to unlock both partitions to continue with the setup. To do it, please execute the following (use the same passphrase for both partitions when asked):
cryptsetup open /dev/sda1 LUKS_BOOT
cryptsetup open /dev/sda4 sda4_crypt
To confirm both partitions are open and in place, please execute ls /dev/mapper:
ls /dev/mapper/
control LUKS_BOOT sda4_crypt
After the Debian installation is finished, we will add key files to both devices so that you'll only have to type the pass-phrase once for the boot partition. Afterward, the operating system will use embedded key files to unlock without user intervention.
In the next step, you must set the file system to boot and EFI-SP partitions. Otherwise, the installer partitioner will disable the ability to write a file system to this device without it having a partition table. To do so, please execute the following:
You must create a logical volume for the root file system and the swap space at this stage. To do that, you will use rootfs (/dev/mapper/sda4_crypt) partition. First, you need to define a physical volume (PV):
pvcreate /dev/mapper/sda4_crypt
Now create a volume group (VG):
vgcreate vgdebian /dev/mapper/sda4_crypt
And last, create a logical volume for both root and swap:
In my example, I've created 1GB of swap space and used the rest of the available space for root. A rule of thumb is to create a swap space that equals the amount of RAM, but that is totally up to you. At this stage, you can exit the shell and return to the Debian installer. To exit the shell, just type exit:
exit
This will return you to the Debian installer.
Disk Partitioning - Stage 02
Once you're back in the Debian installer, scroll to Partition disks and press Enter to continue:
There, under LUKS_BOOT, select partition #1 and press Enter to continue:
Configure the partition per example on the picture below and confirm by selecting Done setting up the partition:
Under LV root, select partition #1:
Configure the root partition per example on the image below:
Under LV swap, select partition #1:
Configure swap space per example on the image below:
Under (sda), select partition #3 labeled grub:
Configure the grub partition per example on the picture below:
Last, under (sda), select partition #3 labeled EFI-SP:
Configure EFI-SP partition per example on the picture below:
With all partitions defined, you can now select Finish partitioning and write changes to the disk. When asked to confirm changes, select Yes and press Enter on your keyboard to continue:
System Install & GRUB Setup
Now that you have all partitions defined, a base system can be installed. To do so, select Install the base system from the menu and press Enter to continue:
During the installation, you will be asked which kernel to install. When asked, select linux-image-amd64. You will also be asked which drivers to include, and you can choose generic ones. Once the installation is done, you can skip Configure the package manager and Select and install software packages.
The next step is Install the GRUB boot loader, but before we can install it, we need to instruct the GRUB we are using the encrypted disk. To do so, you will once again select Execute the shell from the main menu (press Enter to continue once you do):
Once in the shell, first, create the directory in which you will store the GRUB configuration snippet:
mkdir /target/etc/default/grub.d
With the directory in place, we can pass the following content to the GRUB configuration snippet, and which will instruct the GRUB boot loader the system is using an encrypted drive:
Now you can type exit to exit the shell and return to the Debian installer. Once there, select Install the GRUB boot loader and press Enter to continue:
Select Yes when asked to force GRUB installation to EFI removable media:
Select No when asked to update NVRAM variables:
Also, select No when asked to run os-prober automatically:
Post Install Steps
One might say once GRUB is installed, we are done with the setup, but we're not quite yet. As a final step, you must add key files, which will automatically unlock the encrypted drive (after the passphrase input) to initramfs. The key files and supporting scripts are added to the/boot/initrd.img-$VERSION files. This is absolutely safe since these files are themselves stored in the encrypted /boot/, which is unlocked by the GRUB boot-loader (which asks you to type the passphrase), which then loads the kernel and initrd.img into RAM before handing execution over to the kernel.
To do so, first once again drop down to shell:
Once in the shell, you need to create a chroot environment to be able to work with the newly installed OS. To do so, please execute the following:
mount /dev/mapper/vgdebian-root /target/root
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/root/$n; done
chroot /target/root
mount -a
In chroot environment, execute the following commands:
Finally, update the initialramfs files to add the cryptsetup unlocking scripts and the key file:
update-initramfs -u -k all
At this stage, type exit twice to return to the Debian installer, and once there, select Finish the installation. Your computer will reboot, and once it does, you will be asked to type in the passphrase to decrypt your disk:
The standard boot will continue right after you enter the correct passphrase. Make sure you remember it or write it down somewhere safe because if you forget it, let's say that retrieving your data will be virtually impossible. With this, we will finish this guide. I hope you liked it, and many thanks for reading.