Main | Debian Encrypted Debootstrap   

Installing Debian manually with LUKS+LVM

The Debian installer is nice but it seems to be missing options for certain LUKS encryption schemes 512-bit key sizes, so I decided to try to install Debian manually via 'debootstrap' after preparing the disk.

Boot a LiveCD

# I usually boot some version of Knoppix to do all this work.

Preparing disk for installation

# First make a partition for encryption use via fdisk
fdisk /dev/sda # for example, add an sda2 /boot and sda3 / partitions via the 'n' command

# Format the /dev/sda2 boot partition with ext4
mkfs.ext4 -c -L boot -m 0 /dev/sda2

# then install haveged to make more entropy available
aptitude install haveged

# then encrypt the partition. Many ciphers are available,
# check for them via /proc/crypto
cryptsetup -v --use-random --verify-passphrase --cipher aes-xts-benbi --key-size=512
   --hash=sha512 --iter-time=10000 luksFormat /dev/sda3

# make available the decrypted partition
cryptsetup luksOpen /dev/sda3 sda3_decrypt

# fill the decrypted partition with pseudo-random data
# NOTE: this will take SEVERAL HOURS to do: 120GB on an old P4 took 10 hours.
dd_rescue -v /dev/urandom /dev/mapper/sda3_decrypt

# prepare disk or partition for LVM use
pvcreate /dev/mapper/sda3_decrypt

# create LVM volume group
vgcreate mainvolume /dev/mapper/sda3_decrypt

# create LVM logical volume groups
lvcreate -L 30G -n rootLV mainvolume
lvcreate -L 3G  -n swapLV mainvolume
lvcreate -L 60G -n homeLV mainvolume

# format logical volume partitions
mkfs.ext4 -c -L rootLV /dev/mapper/mainvolume-rootLV
mkswap -c -L spapLV-1 /dev/mapper/mainvolume-swapLV
mkfs.ext4 -c -m 0 -L homeLV /dev/mapper/mainvolume-homeLV

Debian installation with debootstrap

# mount filesystems to prepare for installation
mkdir /target
mkdir /target/boot
mkdir /target/home
mount /dev/mapper/mainvolume-rootLV /target
mount /dev/sda2 /target/boot
@@mount /dev/mapper/mainvolume-homeLV /target/home swapon /dev/mapper/mainvolume-swapLV

# installinnnnggg!!
debootstrap --arch=i386 wheezy /target

# bind mount a few directories and chroot into the new system to do some setup
mount -o bind /dev /target/dev
mount -o bind /dev/pts /target/dev/pts
mount -o bind /sys /target/sys
mount -o bind /proc /target/proc

# chroot into newly installed system
chroot /target
# the new system complains about the LOCALE not being set; prepare the fix for it,
# but this has to wait until the locales-all package is installed.
nano /etc/default/locale

# fill in file with:


# update sources.list, install locales
nano /etc/apt/sources.list

# update file to contain:

# standard Debian Wheezy repositories
deb wheezy main
deb wheezy-updates main
deb wheezy/updates main

# update repository lists, install locales, update locale
aptitude update
aptitude install locales-all

# use aptitude to install a linux-image and grub2
aptitude install linux-image grub2

# run blkid to discover the UUID identifiers for the filesystems to mount
blkid # use this for info manual entries in /etc/fstab and /etc/crypttab # then run update-initramfs again:
update-initramfs -k all -u


Important to read for later (unrelated):

March 07, 2015, at 04:05 PM