Main | Debian Encrypted Debootstrap
The Debian installer is nice but it seems to be missing options for certain LUKS encryption
schemes 512-bit key sizes, so I decided to try to install Debian manually via 'debootstrap'
after preparing the disk.
# I usually boot some version of Knoppix to do all this work.
# First make a partition for encryption use via fdisk fdisk /dev/sda # for example, add an sda2 /boot and sda3 / partitions via the 'n' command
# Format the /dev/sda2 boot partition with ext4 mkfs.ext4 -c -L boot -m 0 /dev/sda2
# then install haveged to make more entropy available aptitude install haveged
# then encrypt the partition. Many ciphers are available, # check for them via /proc/crypto cryptsetup -v --use-random --verify-passphrase --cipher aes-xts-benbi --key-size=512 --hash=sha512 --iter-time=10000 luksFormat /dev/sda3
# make available the decrypted partition cryptsetup luksOpen /dev/sda3 sda3_decrypt
# fill the decrypted partition with pseudo-random data
# NOTE: this will take SEVERAL HOURS to do: 120GB on an old P4 took 10 hours. dd_rescue -v /dev/urandom /dev/mapper/sda3_decrypt
# prepare disk or partition for LVM use pvcreate /dev/mapper/sda3_decrypt
# create LVM volume group vgcreate mainvolume /dev/mapper/sda3_decrypt
# create LVM logical volume groups lvcreate -L 30G -n rootLV mainvolume lvcreate -L 3G -n swapLV mainvolume lvcreate -L 60G -n homeLV mainvolume
# format logical volume partitions mkfs.ext4 -c -L rootLV /dev/mapper/mainvolume-rootLV mkswap -c -L spapLV-1 /dev/mapper/mainvolume-swapLV mkfs.ext4 -c -m 0 -L homeLV /dev/mapper/mainvolume-homeLV
# mount filesystems to prepare for installation mkdir /target mkdir /target/boot mkdir /target/home mount /dev/mapper/mainvolume-rootLV /target mount /dev/sda2 /target/boot
@@mount /dev/mapper/mainvolume-homeLV /target/home
swapon /dev/mapper/mainvolume-swapLV
# installinnnnggg!! debootstrap --arch=i386 wheezy /target
http://ftp.us.debian.org/debian
# bind mount a few directories and chroot into the new system to do some setup mount -o bind /dev /target/dev mount -o bind /dev/pts /target/dev/pts mount -o bind /sys /target/sys mount -o bind /proc /target/proc
# chroot into newly installed system chroot /target # the new system complains about the LOCALE not being set; prepare the fix for it, # but this has to wait until the locales-all package is installed. nano /etc/default/locale
# fill in file with:
LANG="en_US.UTF-8" LANGUAGE="" LC_MESSAGES="en_US.UTF-8" COUNTRY="US"
# update sources.list, install locales nano /etc/apt/sources.list
# update file to contain:
# standard Debian Wheezy repositories deb http://ftp.us.debian.org/debian/ wheezy main deb http://ftp.us.debian.org/debian/ wheezy-updates main deb http://security.debian.org/ wheezy/updates main
# update repository lists, install locales, update locale aptitude update aptitude install locales-all update-locale
# use aptitude to install a linux-image and grub2
aptitude install linux-image grub2
# run blkid to discover the UUID identifiers for the filesystems to mount blkid
# use this for info manual entries in /etc/fstab and /etc/crypttab
# then run update-initramfs again: update-initramfs -k all -u
References:
Important to read for later (unrelated):
March 07, 2015, at 04:05 PM