Difference between revisions of "Debian with luks"

This tutorial will guide you on installing latest release of Debian 10 (codename Buster) with swap, /home, /root and /var LVM partitions encrypted on top of a LUKS encrypted physical volume.

LUKS, an acronym for Linux Unified Key Setup, offers a standard for Linux hard disk block encryption and stores all the setup data in the partition header. If somehow, the LUKS partition header is tampered, damaged or overwritten in any way, the encrypted data that reside onto this partition is lost.

Still, one of the facilities of using LUKS encryption is that you can use a decryption key on the boot process to automatically unlock, decrypt and mount the encrypted partitions, without the need to always type a prompt passphrase at system boot (especially if you are connecting remotely through SSH).

You might ask, why only encrypt the /var and /home partitions and not the entire file system. One argument would be that /home and /var partitions contain, in most cases, sensitive data. While /home partition stores users data, the /var partition stores databases information (typically MySQL database files are located here), log files, websites data files, mail files and other, information that can be easily accessed once a third-party gains physical access to your hard drives. For security purposes, /root and swap are also encrypted. Swap holds decryption headers somewhere, and the /root, well just safekeep... no more comments here.

Install

1. Download Debian 10 ISO image and burn it to a CD or create a bootable USB drive. Place the CD/USB in your appropriate drive, power on the machine and instruct the BIOS to boot from the CD/USB drive.

Once the system boots up the Debian installation media, choose Install from the first screen and press Enter key to move forward.

Install Debian 10

2. On the next steps, select the Language for the installation process, select your Country, configure your keyboard and wait for other additional components to load.

Select Language

Select Location

Configure Keyboard

3. On the next step the installer will automatically configure your Network Card Interface in case you provide network settings through a DHCP Server.

If your network segment doesn’t use a DHCP server to automatically configure network interface, on the Hostname screen choose Go Back and manually set your interface IP Addresses.

Once done, type a descriptive Hostname for your machine and a Domain name as illustrated on the below screenshots and Continue with the installation process.

Configure Hostname

Configure Domain Name

4. Next, type a strong password for root user and confirm it, then setup the first user account with a different password.

Set Root Password

Create New User

Create New User

Set User Password

5. Now, setup the clock by selecting your physical nearest time zone.

Configure Time

6. On the next screen choose Manual Partitioning method, select the hard drive that you want to partition and choose Yes to create a new empty partition table.

Manual Partitioning

Select Installation Disk

Create Disk Partition

7. Now it’s time to slice the hard drive into partitions. The first partition that will create will be the /boot(boot) partition. Select the FREE SPACE, hit Enter key and choose Create a new partition. Use at least 1 GB as its size and as Primary partition at the Beginning of the disk.

        Use as: Ext4 journaling file system
   Mount Point: /boot
         Label: boot
 Bootable flag: on

Select Disk Partition

Create New Partition

Set Partition Size

Select Primary Partition

Select Partition Location

8. Next, configure /(root) partition with the following settings

   Use as: Ext4 journaling file system
   Mount Point: /
   Label: root
   Bootable flag: off

When you have finished setting up the partition choose Done setting up the partition and press Enter to continue further.

Create Boot Partition

9. Now it’s time to create the encrypted partition that will be the physical volume for encryption on top of which the LVM swap, /root, /var and /home partition will reside.

To do that, first choose the remaining FREE SPACE -> Create a new partition -> leave the partition size with the default value -> make it a Logical partition -> Use it as Physical volume for encryption -> Done setting up the partition.

Use the below screenshots as a guidance for this steps.

Create Encrypted Partition

Enter Partition Size

Set Primary Partition

Set Encryption Type

Encrypted Partition Summary

10. After the Physical volume for encryption has been created it’s time to configure the Encrypted volumes. If you have other partitions or hard drives that you want to use for encryption, now it’s time to create them all by repeating the above steps for each partition on hard drives.

To move forward, next select Configure encrypted volumes and hit on Yes to write the changes to disk and start configure encrypted volumes.

Configure Encrypted Volumes

Write Changes to Disk

11. On the next screen choose Create encrypted volumes and choose the devices (partitions) to encrypt. If you have a hard time to recognize the correct devices that will be used for encryption after their partition number or size, just look after a crypto word at the end of each listed partition.

To select the partitions use up and down keys to navigate and press the space key to select the appropriate partitions and an asterisk should appear on the selected device. When you’re done with devices selection, hit the Tab key to jump on Continue and press Enter key to move forward and Finish.

Create Encrypted Volume

Select Partition To Encrypt

Finish Encrypted Partition

12. On the next screen the installer will ask you whether you want to erase the data on the encrypted partitions. Depending on your available time or if the hard disk it’s new and has just been partitioned, so it does not contain any data, choose No and provide a strong passphrase for the encrypted volume.

When you’re done with the passphrases hit Continue to return to main Partition menu and configure LVM volumes further.

Erase Data on Partition

Set Encrypted Passphrase

13. Once you have returned at the main Partition menu, it’s time to create the LVM partitions for swap, /root /home and /var on top of the encrypted volume.

Next, select Configure the Logical Volume Manager and confirm (Yes) the new write changes to disk.

Configure Logical Volumes

Write Changes to LVM

14. On the next step create a Volume Group using a descriptive name for this VG (for this setup we used the name filipefonseca) and select the encrypted device (partition) that will be a part of the VG by pressing the space key. To jump to Continue menu press the Tab key.

Create Volume Group

Set Volume Group Name

Select Device for New Volume

15. Now, create the Logical Volumes for swap, /root, /home and /var partitions. Choose Create logical volume -> Press Enter at your Volume Group name -> use the home name for the first Logical Volume -> enter a size for home Logical Volume depending on how much space you want to use for your home partition and hit Continue when you’re done.

Select Logical Volume

Set Volume Group Name

Create Swap Partition

Set Size for Swap Partition

16. Next, repeat the above step in order to create the remaining Logical Volume and hit Finish when you’re done to go back to main Partition menu.

LVM Summary

Finish Partitioning

17. Once returned to the main Partition menu it’s time to configure the LVM partitions settings and mount points. Navigate to #1 home Logical Volume and configure the LVM partition with the following settings

       Use as: Ext4 journaling file system
  Mount Point: /home
        Label: home

When you finish hit the Done setting up the partition.

Overview of Current Partition

Configure Home Mount Point

18. Repeat the above steps for remaining Logical Volume with the following settings

Again, after you finish setting up swap, /root, /home and /var partition hit the Done setting up the partition to return to main Partition menu, review the partitions for a last time, and, if everything is in the right place, move to Finish partitioning and write changes to disk and choose No at the next prompt (Return to partitioning menu) and Yes in order to format the partitions, write changes to disk and continue with the installation process. After base-system is complete, select no to skip another image sources.

Overview of Current Partition

Write Changes to Format Disk

Adittional Media

19. That’s all for the partitioning scheme in order to run LVM encrypted partitions on top of an encrypted volume.

After the base system is installed, select a Debian archive mirror country for repositories. If the machine is directly connected to Internet and you do not use a proxy server to gain Internet access, hit on Continue at HTTP proxy information.

Configure Package Manager

Select Location of Repository

Configure HTTP Proxy

20. After the installer will configure the apt repositories a new prompt should appear demanding to participate in the package usage survey. Choose No to continue and select the software you want to install further.

Depending on the final destination of your machine, you can opt for a Graphical User Interface with your favorite Desktop environment (Gnome, Xfce, KDE, Cinnamon, MATE, LXDE) or a server configuration with no GUI.

In any case, choose standard system utilities and SSH if you want to use the machine as a server and hit Continue when you’re done.

Configure Popularity Contest

Software Selection

21. After all the required packages are installed on your system, install the GRUB boot loader to your first hard disk (/dev/vxda) MBR (Master Boot Record) and wait for the installation process to finish.

Install Grub Loader

Select Grub Loader Location

22. After the installation finishes hit Continue to reboot the machine. At the booting process you will be asked to enter the passphrase configured on the installation process in order to unlock the encrypted device and mount the encrypted partitions.

Finish Installation

Enter Passphrase

Partitions are now locked with LUKS, only by typing passphrase make the partitions available to boot continuation.

Auto unlock on boot

ATTENTION This step will break the purpose of encrypting the system this way. By auto supplying the key on boot, you'll automatically open the partitions, rendering encryption useless. this last annotations are for development testing.

23. In order to automatically unlock and mount the encrypted partitions during system boot up, login with root user and create a protected key on /root partition by issuing the following commands

# GENERATE KEY
     dd if=/dev/urandom of=/cryptkey-sys bs=512 count=1
# SECURE KEY
     chmod 700 /cryptkey-sys

Auto Mount Encrypted Partitions

This file must be accessible from boot, so it must be placed on unencrypted partition.

24. After the key has been created, open and edit /etc/crypttab file and replace none parameter with the absolute system path to your key as in the following screenshot

# nano /etc/crypttab

Add Mount Points

25. Next, add the key to encrypted LUKS device by issuing the following command (LUKS can support up to 8 keys or passphrase slots) and verify if the key has been added to slot number 1

# ADD KEY
     cryptsetup luksAddKey /dev/xvda5 /root/cryptkey-sys
#CHECK KEY
     cryptsetup luksDump /dev/xvda5

Add Key to Encrypted Luks

Encrypted Key

That’s it! On the next boot up process, the encrypted partitions will be automatically unlocked and mounted with the below decryption key.

Be aware that if you lose the decryption key or you forget the passphrase set during installation process the data stored onto the encrypted partitions cannot be recovered and will be forever lost, so you should take precaution and regular backup data, preferably to an encrypted device also.