Skip to content
Snippets Groups Projects

Debian Installer - Insert Full Disk Encryption during install

  • Clone with SSH
  • Clone with HTTPS
  • Embed
  • Share
    The snippet can be accessed without any authentication.
    Authored by Teej Tj

    When doing a Guided partitioning with Encryption and LVM, once the installer finishes, do not reboot; instead use the option to execute a root shell and perform the following instructions.

    This replaces the ext2 /boot/ file system the installer puts in the 2nd partition with a LUKS encrypted container that GRUB can unlock. It uses LUKSv1 since currently (end of 2024) GRUB only supports pbkdf2 not argon2i (due to using an old forked version of gcrypt) that LUKSv1 uses by default. One can choose LUKSv2 but then has to amend the luksFormat options to --type luks2 --pbkdf pbkdf2.

    After booting GRUB will initially want two pass-phrases; first for the new /boot/ container and secondly for the LVM/root file-system container (just to read the background image!) and then when Linux starts it will ask for both again. See my other snippet "New Install - configure cryptsetup-initramfs for FDE" for the commands to install and use key-files so that the only pass-phrase request is GRUB's initial unlock of the /boot/ container.

    Edited
    debian_installer_cryptsetup_full_disk_encryption.sh 1001 B
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23 
    BOOT_PART=/dev/sda2
mkdir /target/tmp/boot
cp -va /target/boot/* /target/tmp/boot/
umount /target/boot/efi
umount /target/boot
cryptsetup luksFormat --type luks1 ${BOOT_PART}
cryptsetup open ${BOOT_PART} crypt_boot
ls -l /dev/mapper/crypt_boot
mkfs.ext4 -L boot /dev/mapper/crypt_boot
mount /dev/mapper/crypt_boot /target/boot
cp -va /target/tmp/boot/* /target/boot/
echo "crypt_boot UUID=$( blkid -s UUID -o value ${BOOT_PART} ) none luks,discard" >> /target/etc/crypttab
grep ' /boot ' /target/etc/fstab
sed -i '/\/boot / s,^\(UUID=[^ ]*\),LABEL=boot,' /target/etc/fstab
sed -i '/\/boot / s,ext2,auto,' /target/etc/fstab
echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg
mount -t proc proc /target/proc
mount /dev/sda1 /target/boot/efi
mount -t efivarfs none /target/sys/firmware/efi/efivars
chroot /target grub-install --verbose --force-extra-removable 2>&1 | /target/usr/bin/tee /tmp/grub-install.log
chroot /target update-grub
chroot /target update-initramfs -u
efibootmgr -v
    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment