Full disk encryption (including boot) on Debian
Install Debian 10 “buster” on a single encrypted partition using LVM on LUKS.
Devices that go out and about such as laptops and backup external drives should have their contents encrypted to guard against loss or theft. Plus you really want to encrypt everything (not just
home). All sorts of information and crypto weaknesses can seep into logfiles, temp files and swap memory. Tutorials and Linux distro installers that support encrypting
swap usually advise or auto-create a separate unencrypted
boot partition; reasoning that the Linux kernel first needs to be found by the boot loader before it can proceed to decrypt the rest of the system. I certainly thought this was true and partitioned my Linux installs accordingly.
However, turns out that GRUB2 supports booting from an encrypted
boot courtesy of its
cryptodisk module. Debian’s installer does not provide the option of encrypting
boot. But it is possible!
Steps below install a minimal Debian that makes use of the entire disk as a single Linux Unified Key Setup (LUKS) encrypted partition that is used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes or LVs) of
home. Installing LVM on top of the encrypted partition allows:
- creation of multiple LVs protected by a single passphrase
- dynamic resizing of LVs as needed
- snapshots of LVs that can be used as backups or to restore a previous state
Sample device (my Thinkpad X230) uses BIOS MBR and boots in legacy boot mode. I don’t have any devices using UEFI; see “Helpful resources” at the end about extrapolating from these steps to deal with
1. Install Debian
A visual walk-through using the Debian network installer to create a console-only base configuration using LVM on LUKS.
2. Convert LUKS2 device to LUKS1
Important! Device holding
/boot needs to be in LUKS format version 1 to be unlocked from the boot loader. Debian installer creates LUKS2 devices.
Check the LUKS format version on the root device. Run
luksDump on example device
# cryptsetup luksDump /dev/sda5
Version: 2 and in
Keyslots there is a single occupied slot
0: luks2. Existing LUKS2 devices can be converted to LUKS1, but not on a mounted filesystem.
Reboot the computer. At the GRUB menu, enter
e to edit, add
break=mount to the end of the
linux line for the kernel, and
F-10 to boot. System drops into a initramfs shell.
Key slots need to be converted to use the PBKDF2 algorithm exclusively prior to LUKS format version downgrade …
# cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda5 # cryptsetup convert --type luks1 /dev/sda5 # cryptsetup luksDump /dev/sda5
luksDump now outputs
Version: 1 and
Key Slot 1: ENABLED with the other 7 slots
CTRL-ALT-Delete to reboot.
3. Move boot to root
Ensure data is not modified while being copied by remounting
/boot read-only …
# mount -o remount,ro /boot
Recursively copy the directory to the root filesystem, and replace the old
/boot mountpoint with the new directory …
# cp -axT /boot /boot.tmp # umount /boot # rmdir /boot # mv -T /boot.tmp /boot
/etc/fstab by commenting out the entry for the
/boot mountpoint …
#UUID=... /boot ext2 defaults 0 2
4. Enable cryptomount in GRUB
CRYPTODISK module to GRUB config and update the image …
# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub # update-grub # grub-install /dev/sda
grub.cfg has entries for
insmod cryptodisk and
insmod luks …
# grep 'cryptodisk\|luks' /boot/grub/grub.cfg
/etc/default/grub and re-install grub.
Reboot. System prompts
Attempting to decrypt master key... for passphrase to unlock
hd0,msdos5. Enter passphrase and after ~30 second delay the boot menu appears. A second prompt appears to unlock
Note: 1/ GRUB stage input uses qwerty keyboard (keymap is ignored); 2/ only allowed one chance to get the passphrase correct (will need to reboot if mistyped); 3/ when kernel prompts the second time for the passphrase to unlock the LVM volume it does use the assigned keymap.
5. Add keyfile to avoid extra passphrase prompt
Generate an encryption keyfile and place in a LUKS key slot …
# mkdir -m 0700 /etc/keys # (umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync) # cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key # cryptsetup luksDump /dev/sda5
Keyfile has been added to
Key Slot 0: ENABLED. Original passphrase occupies
Key Slot 1: ENABLED, and there remain 6 free slots
/etc/crypttab and replace
none with the key file path (
/etc/keys/root.key) and the key-slot it occupies (
sda5_crypt UUID=... /etc/keys/root.key luks,discard,key-slot=0
/etc/cryptsetup-initramfs/conf-hook with …
UMASK to root-only access to avoid leaking key material …
# echo UMASK=0077 >> /etc/initramfs-tools/initramfs.conf
Re-generate the initramfs image, and verify that it has the restrictive permissions and includes the key …
# update-initramfs -u -k all # stat -L -c "%A %n" /initrd.img # lsinitramfs /initrd.img | grep "^cryptroot/keyfiles/
Reboot. Now there is only the single prompt for a passphrase.
6. Helpful resources
- CC BY-SA image of “Torii Gates” courtesy of BriYZZ