How to Install Debian 8.3 along with LUKS Encrypted /home and /var Partitions
To Install Debian 8.3 - LUKS Encrypted /home and /var Partitions
Linux Unified Key Setup is abbreviated as LUKS, which offers for Linux hard disk, block encryption and stores the entire setup data in the partition header. The LUKS encryption provides you with a decryption key to automatically unlock, decrypt and mount the encrypted partitions. The /var partition stores database information, while /home partition stores the users data, thus it only encrypts /var and /home partitions and not the entire system. The following article will help you install Debian 8.3 along with /home and /var LVM partitions encrypted on top of LUKS Encrypted volume.
Installation of Debian 8.3
1. Download the Debian 8.3 ISO image and create a bootable USB drive or burn it to a CD.
After the system boots the Debian installation media, select Install in the screen and press Enter to proceed further.
2. Next Select the language and your Country for the installation. Then configure your keyboard and wait for additional components to be loaded.
3. If you provide network settings through a DHCP server, then the installer will configure your Network Card Interface. If you do not use a DHCP server then choose Configure network manually to set up your interface IP Address. If you don' t want to configure the network then you choose Do not configure the network at this time.
Then type Hostname for your machine and click continue.
4. Now you are required to type a strong password for root user
Create a first User account with Password.
5. Manual Partitioning method should be chosen in the next screen and select the hard drive you want to partition and select Yes to generate an empty partition table.
6. The following screen will help you to split the hard drive into partitions. The first partition will be the / (root) and also select the FREE SPACE and press Enter and finally select Create a new partition. Select a minimum of 8G size as the Primary partition and the location as Beginning.
7. Now you need to configure /root partition with the following described settings:
Use the Ext4 journaling file system
Mount Point: /
Label: root
Bootable flag: on
Choose Done setting up the partition and finally press Enter.
8. Now it is essential that you configure the encrypted volumes by selecting Configure encrypted volumes and select Yes.
9. In the next screen choose Create encrypted volumes and partitions to encrypt. Use the up and down arrows to move over the partitions and press Space key to select that partition. An asterisk should appear indicating an partition is selected. Now you need to press Tab key to Continue and select Done setting up the partition. Finally select Yes and Finish.
10. The installer will ask you, whether to remove the data on the encrypted partitions. If the hard disk is new or you don' t have much time then choose No. Otherwise choose Yes and create a strong passphrase for the encrypted data. Now press continue to return back to the main Partition menu and then start configure the LVM volumes.
11. Create LVM partitions for /var and /home on the encrypted volume. Now you need to select Configure the Logical Volume Manager and choose Yes to write new changes to disk.
12. Now create a Volume Group by giving VG a descriptive name and press Space key to select the partitioned device that will be part of the VG and finally press Tab key to continue.
13. Create Logical Volumes for /var and /home partitions. You are required to choose Create logical volume and choose the volume group name followed by logical volume name. Now enter your desired size for home Logical Volume and press continue.
14. The above steps need to be repeated for creating Logical Volume for /var partition and finally press Finish to return to main partition menu.
15. Now configure LVM partition settings and also mount points with the following settings.
-> Ext4 journaling file system should be used.
-> Mount Point: /home.
-> Label: home.
Finally choose Done .
16. The above steps need to be repeated for var Logical Volume along with the settings described below:
Ext4 journalist file system should be used.
Mount Point: /var
Label: var
And finally press Done and if you are satisfied with the partitions, move to Finish partitioning and write changes to disk and choose No and Yes if formatting is required.
17. A new window appears after the installer configures the apt repositories. Then choose No and select the software to install. Depending on your machine, you might choose for Graphical User Interface with your Desktop Environment. If you want to use your system as a server then choose SSH and standard system utilities and press continue.
18. Install the GRUB boot loader to your hard disk (/dev/sda) MBR after the necessary packages are installed and wait for the installation to complete.
19. Select continue to reboot your system and at the end of the process you would be prompted to enter passphrase to unlock the encrypted device and also mount the encrypted partitions.
20. Login with root user and create a protected key on /root partition by running the following commands, to automatically unlock and mount the encrypted /home and /var partitions.
# dd if=/dev/random of=cryptkey bs=512 count=1 #
chmod 700 cryptkey
21. Now open and edit /etc/crypttab file and replace none parameter with absolute system path to the key.
# nano /etc/crypttab
22. You need to add the key to encrypted LUKS device by running the following command and confirm if the key is added to slot no 1.
# cryptsetup luksAddKey /dev/sda5 /root/cryptkey # cryptsetup luksDump /dev/sda5
Thus in the next boot up, partitions will be automatically unlocked and mounted with the decryption key. When someone gains access to your machine, /var and /home will be highly secured.
It is not possible to recover the encrypted partitions, if the decryption key is lost or you forget the passphrase. Thus a regular backup to an encrypted device is very much needed.
https://www.debian.org/CD/http-ftp/#stable
https://guardianproject.info/code/luks/
https://gitlab.com/cryptsetup/cryptsetup/