Index ¦ Archives ¦ Atom

Setting Up Full Disk Encryption on Debian Jessie

Update 2017-06-29: I've done an updated version of this tutorial with Debian Stretch. The updated version is simplified, it uses the graphical installer and guided partitioning. However, if you want to manually partition your disks, this tutorial will still work for Debian Stretch.

This is part 2 of a two part post, part 1 is a bit of a primer about Full Disk Encryption on Linux.

I should point out that in the tutorial I say "Full" disk encryption but that's not entirely correct there is still a small partition /boot that's unencrypted. That contains your kernel, grub config and initrd and needs to be unencrypted so we can start booting and decrypt the rest of the OS. If you're thinking "But then someone with physical access could replace my kernel with a backdoored one" your absolutely correct. It's called an "Evil Maid Attack"1 and Matthew Garrett has some good write ups on them. There are ways you can protect against such attacks a Trusted Platform Module to only boot a signed kernel or burning your /boot partition to a CD-R so it can't be changed. But these are out of scope for the tutorial.

For this tutorial I'm going to assume you're familiarly with the Debian installer and I'm really only going to cover the bits that relate to disk encryption. When running through the Debian installer you can pick to manually partition disk. You can split your disks into as many partitions as you like, but for this tutorial we are going to have four partitions.

  • /boot Unencrypted
  • / root volume, encrypted with a passphrase.
  • /home Encrypted with a key file (that's stored on /).
  • SWAP Encrypted with a random key generated each time we boot.

Run through the standard Debian installer until you get to the section on disk partitioning.

Select "Manual" Partition Manually

Pick the disk you want to use Select Disk

If it's a new disk create a partition table or wipe the existing one.2 Wipe Disk

Select the free space Select free space

Create a new partition Create a new partition

I'm currently running my laptop (which only has an 80GB SSD) with a 100MB boot partition and it's mostly ok but I forgot to run sudo apt-get autoremove for a while and my /boot filled up once. It's not a hard fix but I'd recommend 256MB it's not that much space and one less thing to worry about. 256 MB Partition

Create it as a Primary Partition Primary Partition

At the Beginning Beginning

Change the mount point to /boot Mount Point

Mount Point

And finish. Mount Point

Next we will setup the root volume in this example I'm going with 64GB Root Volume Root Volume Root Volume Root Volume Root Volume

Now select "Use As" Root Volume

And change it to "physical volume for encryption" physical volume for encryption physical volume for encryption physical volume for encryption

Now we do the same again for our /home partition Home Volume Home Volume

Now I'm creating a volume that 8GB less than the remaining space on the disk, to leave 8GB for swap. Home Volume

Finally we create a partition that we will (eventualy) use for swap. However simply create a partition, don't set it as swap or use / format it yet. Swap Partition Swap Partition Swap Partition Swap Partition Swap Partition

Now select "Configure encrypted volumes" Encrypted Volumes

Write the changes to disk Encrypted Volumes

Create encrypted volumes Encrypted Volumes

Select the encrypted volumes Encrypted Volumes

Finish Encrypted Volumes

Enter a passphrase for your root volume and your home volume. We will change the home volume to a key later. Set Passphrase Set Passphrase Set Passphrase Set Passphrase

Now select the encrypted volume and map them to / and /home Map Encrypted Volumes Map Encrypted Volumes Map Encrypted Volumes

Select finish and write changes to disk Finish

The installer will complain that we don't have a swap file setup yet, but that's ok we can fix that later. Swap File

And finish, then continue with the installer as usual. Finish

When you finish the installer and reboot you should now have a system with full disk encryption but there are a couple of things we need to fix up.

First we will setup the swap partition to use a random key at boot. We need to edit /etc/crypttab and add sda7_crypt /dev/sda7 /dev/urandom swap. Then we need to edit /etc/fstab and add /dev/mapper/sda7_crypt none swap sw 0 0

Next we are going to use a key file instead of a passphrase for our home partition. To do that we will generate a file with some random data in there.

$ sudo su
# mkdir /etc/keys
# dd if=/dev/random of=/etc/keys/sda6.key bs=1 count=32
# chmod 400 /etc/keys/sda6.key

Next we add that as a key to be able to decrypt that volume sudo cryptsetup luksAddKey /dev/sda6 /etc/keys/sda6.key

and then we remove the current passphrase sudo cryptsetup luksRemoveKey /dev/sda6

then we edit /etc/crypttab on the line that has sda6_crypt replace the word none with /etc/keys/sda6.key

And your done. Now when you boot you should just be asked for the one passphrase.

  1. Every time I hear the term "Evil Maid Atack" I get a mental image of a big beefy hairy security guy in a French maid outfit with a feather duster. It's horrible. 

  2. It's about this time that I should point out that formatting your disk and installing a new OS will remove all the data on a disk, make sure you have backups. But I feel like if your installing Linux with full disk encryption your probably already across that. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.