Full disk encryption (including boot) on Debian

Last modified on 2020-05-06

Torii Gates

Install Debian 10 “buster” on a single encrypted partition using LVM on LUKS.

Let’s go!

Devices that go out and about such as laptops and backup external drives should have their contents encrypted to guard against loss or theft. Plus you really want to encrypt everything (not just home). All sorts of information and crypto weaknesses can seep into logfiles, temp files and swap memory. Tutorials and Linux distro installers that support encrypting root and home and swap usually advise or auto-create a separate unencrypted boot partition; reasoning that the Linux kernel first needs to be found by the boot loader before it can proceed to decrypt the rest of the system. I certainly thought this was true and partitioned my Linux installs accordingly.

However, turns out that GRUB2 supports booting from an encrypted boot courtesy of its cryptodisk module. Debian’s installer does not provide the option of encrypting boot. But it is possible!

Steps below install a minimal Debian that makes use of the entire disk as a single Linux Unified Key Setup (LUKS) encrypted partition that is used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes or LVs) of root (containing boot), swap, and home. Installing LVM on top of the encrypted partition allows:

Sample device (my Thinkpad X230) uses BIOS MBR and boots in legacy boot mode. I don’t have any devices using UEFI; see “Helpful resources” at the end about extrapolating from these steps to deal with /boot/efi.

1. Install Debian

A visual walk-through using the Debian network installer to create a console-only base configuration using LVM on LUKS.

2. Convert LUKS2 device to LUKS1

Important! Device holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader. Debian installer creates LUKS2 devices.

Check the LUKS format version on the root device. Run luksDump on example device sda5

# cryptsetup luksDump /dev/sda5

Output is Version: 2 and in Keyslots there is a single occupied slot 0: luks2. Existing LUKS2 devices can be converted to LUKS1, but not on a mounted filesystem.

Reboot the computer. At the GRUB menu, enter e to edit, add break=mount to the end of the linux line for the kernel, and F-10 to boot. System drops into a initramfs shell.

Key slots need to be converted to use the PBKDF2 algorithm exclusively prior to LUKS format version downgrade …

# cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda5
# cryptsetup convert --type luks1 /dev/sda5
# cryptsetup luksDump /dev/sda5

Running luksDump now outputs Version: 1 and Key Slot 1: ENABLED with the other 7 slots DISABLED.

CTRL-ALT-Delete to reboot.

3. Move boot to root

Ensure data is not modified while being copied by remounting /boot read-only …

# mount -o remount,ro /boot

Recursively copy the directory to the root filesystem, and replace the old /boot mountpoint with the new directory …

# cp -axT /boot /boot.tmp
# umount /boot
# rmdir /boot
# mv -T /boot.tmp /boot

Modify /etc/fstab by commenting out the entry for the /boot mountpoint …

#UUID=... /boot           ext2    defaults        0       2

4. Enable cryptomount in GRUB

Add the CRYPTODISK module to GRUB config and update the image …

# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
# update-grub
# grub-install /dev/sda

Verify that grub.cfg has entries for insmod cryptodisk and insmod luks

# grep 'cryptodisk\|luks' /boot/grub/grub.cfg

Otherwise, add cryptodisk and luks to GRUB_PRELOAD_MODULES in /etc/default/grub and re-install grub.

Reboot. System prompts Attempting to decrypt master key... for passphrase to unlock hd0,msdos5. Enter passphrase and after ~30 second delay the boot menu appears. A second prompt appears to unlock sda5_crypt.

Note: 1/ GRUB stage input uses qwerty keyboard (keymap is ignored); 2/ only allowed one chance to get the passphrase correct (will need to reboot if mistyped); 3/ when kernel prompts the second time for the passphrase to unlock the LVM volume it does use the assigned keymap.

5. Add keyfile to avoid extra passphrase prompt

Generate an encryption keyfile and place in a LUKS key slot …

# mkdir -m 0700 /etc/keys
# (umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync)
# cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key
# cryptsetup luksDump /dev/sda5

Keyfile has been added to Key Slot 0: ENABLED. Original passphrase occupies Key Slot 1: ENABLED, and there remain 6 free slots DISABLED.

Modify /etc/crypttab and replace none with the key file path (/etc/keys/root.key) and the key-slot it occupies (key-slot=0) …

sda5_crypt UUID=... /etc/keys/root.key luks,discard,key-slot=0

Modify /etc/cryptsetup-initramfs/conf-hook with …

KEYFILE_PATTERN="/etc/keys/*.key"

In /etc/initramfs-tools/initramfs.conf, set UMASK to root-only access to avoid leaking key material …

# echo UMASK=0077 >> /etc/initramfs-tools/initramfs.conf

Re-generate the initramfs image, and verify that it has the restrictive permissions and includes the key …

# update-initramfs -u -k all
# stat -L -c "%A  %n" /initrd.img
# lsinitramfs /initrd.img | grep "^cryptroot/keyfiles/

Reboot. Now there is only the single prompt for a passphrase.

6. Helpful resources

Happy hacking!