Difference between revisions of "Debian with luks"
| Line 86: | Line 86: | ||
[[File:Debian with luks 34.jpg|400px|center|thumb| Erase Data on Partition]] | [[File:Debian with luks 34.jpg|400px|center|thumb| Erase Data on Partition]] | ||
[[File:Debian with luks 35.jpg|400px|center|thumb| Set Encrypted Passphrase]] | [[File:Debian with luks 35.jpg|400px|center|thumb| Set Encrypted Passphrase]] | ||
;13. Once you have returned at the main Partition menu, it’s time to create the LVM partitions for /home and /var on top of the encrypted volume. | ;13. Once you have returned at the main Partition menu, it’s time to create the LVM partitions for /home and /var on top of the encrypted volume. | ||
Next, select Configure the Logical Volume Manager and confirm (Yes) the new write changes to disk. | Next, select Configure the Logical Volume Manager and confirm (Yes) the new write changes to disk. | ||
[[File:Debian with luks | [[File:Debian with luks 36.jpg|400px|center|thumb| Configure Logical Volumes]] | ||
[[File:Debian with luks | [[File:Debian with luks 37.jpg|400px|center|thumb| Write Changes to LVM]] | ||
;14. On the next step create a Volume Group using a descriptive name for this VG (for my setup I’ve used the name Jessie) and select the encrypted device (partition) that will be a part of the VG by pressing the space key. To jump to Continue menu press the Tab key. | ;14. On the next step create a Volume Group using a descriptive name for this VG (for my setup I’ve used the name Jessie) and select the encrypted device (partition) that will be a part of the VG by pressing the space key. To jump to Continue menu press the Tab key. | ||
[[File:Debian with luks | [[File:Debian with luks 38.jpg|400px|center|thumb| Create Volume Group]] | ||
[[File:Debian with luks | [[File:Debian with luks 39.jpg|400px|center|thumb| Set Volume Group Name]] | ||
[[File:Debian with luks | [[File:Debian with luks 40.jpg|400px|center|thumb| Select Device for New Volume]] | ||
Revision as of 19:58, 12 July 2021
This tutorial will guide you on installing latest release of Debian 10 (codename Buster) with swap, /home, /root and /var LVM partitions encrypted on top of a LUKS encrypted physical volume.
LUKS, an acronym for Linux Unified Key Setup, offers a standard for Linux hard disk block encryption and stores all the setup data in the partition header. If somehow, the LUKS partition header is tampered, damaged or overwritten in any way, the encrypted data that reside onto this partition is lost.
Still, one of the facilities of using LUKS encryption is that you can use a decryption key on the boot process to automatically unlock, decrypt and mount the encrypted partitions, without the need to always type a prompt passphrase at system boot (especially if you are connecting remotely through SSH).
You might ask, why only encrypt the /var and /home partitions and not the entire file system. One argument would be that /home and /var partitions contain, in most cases, sensitive data. While /home partition stores users data, the /var partition stores databases information (typically MySQL database files are located here), log files, websites data files, mail files and other, information that can be easily accessed once a third-party gains physical access to your hard drives.
Install
- 1. Download Debian 8 ISO image and burn it to a CD or create a bootable USB drive. Place the CD/USB in your appropriate drive, power on the machine and instruct the BIOS to boot from the CD/USB drive.
- Once the system boots up the Debian installation media, choose Install from the first screen and press Enter key to move forward.
- 2. On the next steps, select the Language for the installation process, select your Country, configure your keyboard and wait for other additional components to load.
- 3. On the next step the installer will automatically configure your Network Card Interface in case you provide network settings through a DHCP Server.
- If your network segment doesn’t use a DHCP server to automatically configure network interface, on the Hostname screen choose Go Back and manually set your interface IP Addresses.
- Once done, type a descriptive Hostname for your machine and a Domain name as illustrated on the below screenshots and Continue with the installation process.
- 4. Next, type a strong password for root user and confirm it, then setup the first user account with a different password.
- 5. Now, setup the clock by selecting your physical nearest time zone.
- 6. On the next screen choose Manual Partitioning method, select the hard drive that you want to partition and choose Yes to create a new empty partition table.
- 7. Now it’s time to slice the hard drive into partitions. The first partition that will create will be the /(root) partition. Select the FREE SPACE, hit Enter key and choose Create a new partition. Use at least 8 GB as its size and as Primary partition at the Beginning of the disk.
- 8. Next, configure /(root) partition with the following settings
Use as: Ext4 journaling file system Mount Point: / Label: root Bootable flag: on
When you have finished setting up the partition choose Done setting up the partition and press Enter to continue further.
- 9. Now it’s time to create the encrypted partition that will be the physical volume for encryption on top of which the LVM /var and /home partition will reside.
To do that, first choose the remaining FREE SPACE -> Create a new partition -> leave the partition size with the default value -> make it a Logical partition -> Use it as Physical volume for encryption -> Done setting up the partition.
Use the below screenshots as a guidance for this steps.
- 10. After the Physical volume for encryption has been created it’s time to configure the Encrypted volumes. If you have other partitions or hard drives that you want to use for encryption, now it’s time to create them all by repeating the above steps for each partition on hard drives.
To move forward, next select Configure encrypted volumes and hit on Yes to write the changes to disk and start configure encrypted volumes.
- 11. On the next screen choose Create encrypted volumes and choose the devices (partitions) to encrypt. If you have a hard time to recognize the correct devices that will be used for encryption after their partition number or size, just look after a crypto word at the end of each listed partition.
To select the partitions use up and down keys to navigate and press the space key to select the appropriate partitions and an asterisk should appear on the selected device. When you’re done with devices selection, hit the Tab key to jump on Continue and press Enter key to move forward and Finish.
- 12. On the next screen the installer will ask you whether you want to erase the data on the encrypted partitions. Depending on your available time or if the hard disk it’s new and has just been partitioned, so it does not contain any data, choose No and provide a strong passphrase for the encrypted volume.
When you’re done with the passphrases hit Continue to return to main Partition menu and configure LVM volumes further.
- 13. Once you have returned at the main Partition menu, it’s time to create the LVM partitions for /home and /var on top of the encrypted volume.
Next, select Configure the Logical Volume Manager and confirm (Yes) the new write changes to disk.
- 14. On the next step create a Volume Group using a descriptive name for this VG (for my setup I’ve used the name Jessie) and select the encrypted device (partition) that will be a part of the VG by pressing the space key. To jump to Continue menu press the Tab key.
