Update 2017-06-29: I've done an updated version of this tutorial with Debian Stretch. The updated version is simplified, it uses the graphical installer and guided partitioning. However, if you want to manually partition your disks, this tutorial will still work for Debian Stretch.
This is part 2 of a two part post, part 1 is a bit of a primer about Full Disk Encryption on Linux.
I should point out that in the tutorial I say "Full" disk encryption but that's not entirely correct there is still a small partition /boot that's unencrypted. That contains your kernel, grub config and initrd and needs to be unencrypted so we can start booting and decrypt the rest of the OS. If you're thinking "But then someone with physical access could replace my kernel with a backdoored one" your absolutely correct. It's called an "Evil Maid Attack"1 and Matthew Garrett has some good write ups on them. There are ways you can protect against such attacks a Trusted Platform Module to only boot a signed kernel or burning your /boot partition to a CD-R so it can't be changed. But these are out of scope for the tutorial.
For this tutorial I'm going to assume you're familiarly with the Debian installer and I'm really only going to cover the bits that relate to disk encryption. When running through the Debian installer you can pick to manually partition disk. You can split your disks into as many partitions as you like, but for this tutorial we are going to have four partitions.
/bootUnencrypted/root volume, encrypted with a passphrase./homeEncrypted with a key file (that's stored on/).SWAPEncrypted with a random key generated each time we boot.
Run through the standard Debian installer until you get to the section on disk partitioning.
Select "Manual"
Pick the disk you want to use
If it's a new disk create a partition table or wipe the existing one.2
Select the free space
Create a new partition
I'm currently running my laptop (which only has an 80GB SSD) with a 100MB boot partition and it's mostly ok but I forgot to run sudo apt-get autoremove for a while and my /boot filled up once. It's not a hard fix but I'd recommend 256MB it's not that much space and one less thing to worry about.
Create it as a Primary Partition
At the Beginning
Change the mount point to /boot
And finish.
Next we will setup the root volume in this example I'm going with 64GB
Now select "Use As"
And change it to "physical volume for encryption"
Now we do the same again for our /home partition
Now I'm creating a volume that 8GB less than the remaining space on the disk, to leave 8GB for swap.
Finally we create a partition that we will (eventualy) use for swap. However simply create a partition, don't set it as swap or use / format it yet.
Now select "Configure encrypted volumes"
Write the changes to disk
Create encrypted volumes
Select the encrypted volumes
Finish
Enter a passphrase for your root volume and your home volume. We will change the home volume to a key later.
Now select the encrypted volume and map them to / and /home
Select finish and write changes to disk
The installer will complain that we don't have a swap file setup yet, but that's ok we can fix that later.
And finish, then continue with the installer as usual.
When you finish the installer and reboot you should now have a system with full disk encryption but there are a couple of things we need to fix up.
First we will setup the swap partition to use a random key at boot. We need to edit /etc/crypttab and add sda7_crypt /dev/sda7 /dev/urandom swap. Then we need to edit /etc/fstab and add /dev/mapper/sda7_crypt none swap sw 0 0
Next we are going to use a key file instead of a passphrase for our home partition. To do that we will generate a file with some random data in there.
$ sudo su
# mkdir /etc/keys
# dd if=/dev/random of=/etc/keys/sda6.key bs=1 count=32
# chmod 400 /etc/keys/sda6.key
Next we add that as a key to be able to decrypt that volume sudo cryptsetup luksAddKey /dev/sda6 /etc/keys/sda6.key
and then we remove the current passphrase sudo cryptsetup luksRemoveKey /dev/sda6
then we edit /etc/crypttab on the line that has sda6_crypt replace the word none with /etc/keys/sda6.key
And your done. Now when you boot you should just be asked for the one passphrase.
-
Every time I hear the term "Evil Maid Atack" I get a mental image of a big beefy hairy security guy in a French maid outfit with a feather duster. It's horrible. ↩
-
It's about this time that I should point out that formatting your disk and installing a new OS will remove all the data on a disk, make sure you have backups. But I feel like if your installing Linux with full disk encryption your probably already across that. ↩
