Devuan GNU+Linux: Full disk encryption (including /boot)

Last update: Mar 2019 // First created: Mar 2019

Davor Ocelic,,

This is a working, up-to-date guide for installing Devuan GNU+Linux (and probably also Debian GNU and Ubuntu) with full disk encryption (including /boot) directly during installation phase.

This guide is applicable to debian-installer (e.g. Devuan's netinst ISO image). The other installer (named Refracta) which is used in the live ISOs has support for encrypted boot by default — simply put everything on an encrypted root partition and it will do the rest.

1) Boot Devuan GNU+Linux installation

2) Choose Expert mode and follow menus

3) When you get to disk partitioning step, choose Manual. Create a gpt partition table on disk, and then create at least 3 partitions, for example:

1. EFI System Partition, 512 MB

2. Physical volume for RAID, 4GB
   (During install you will use this as unencrypted /boot partition.
   Later you will convert it into an encrypted swap partition, so choose size accordingly.)

3. Physical volume for RAID, the rest of disk
   (You will set this up as an encrypted partition and install the root system on it.)
4) Create RAIDs on these two RAID partitions:

5) Assign the first RAID (4GB) to be used as /boot

6) Assign the second RAID (big one) to be used as physical volume for encryption, configure encryption on it, and then use it as the root partition

7) Finish partitioning, and proceed without creating a swap partition

8) Back in the menu, choose "Install the base system"

9) At "Use network mirror?" step, it is preferrable to say yes so you don't have to bother with /etc/apt/sources.list manually later.
(But if you want to install without connecting to the internet at all, you can sure say no here.)

10) Install everything as you normally would, including the step about installing GRUB to a hard disk

11) When everything is done, don't finish the installation or exit the installer, but execute the shell or press alt+2

12) And now we have to do the changes as follows:
(Please note: as shown above, in our example we have 3 partitions created on disk, and since partition 2 and 3 are RAID, they are known as /dev/md0 (boot i.e. swap) and /dev/md1_crypt (root)):
# Chdir to the most important place! :)
cd /target       # <-- important

# Move boot/ and boot/efi mounts to /mnt/boot, then copy boot files and efi mount over to the boot/ dir.
# The specific way in which this is done is done so that you can work with "mount --bind" rather than having
# to remember or look up device names, and so that if this is scripted it will just work without needing to
# know device names.
mkdir /mnt/root /mnt/efi
mount --bind . /mnt/root
mount --bind boot/efi /mnt/efi
umount boot/efi
cp -a boot/* /mnt/root/boot
umount boot
mount --bind /mnt/efi boot/efi
umount /mnt/root /mnt/efi

# Mount other stuff:
# Not necessary to mount --bind /dev because it should already be mounted
#mount --bind /dev dev
mount --bind /proc proc
mount --bind /sys sys

# Now, chroot into /target and first edit some files:
chroot .
bash               # <-- for convenience
echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub  # <-- Must be =y, not =1 !!
rm /etc/mtab       # <-- Remove stale info

vi /etc/fstab      # <-- Do one thing here:
#   Replace line refering to previous /boot partition into a swap partition:
#   So your line for old-boot should, after you edit it to become swap, look like:
# /dev/mapper/md0_crypt_unformatted none swap sw 0 0

vi /etc/crypttab   # <-- Do two things here:
#   Add ',discard' after 'luks' in there if your disk is SSD
#   Add line for the swap partition
#   So your content in there after editing should look like:
# md1_crypt UUID=... none luks,discard
# md0_crypt /dev/md0 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard

# Delete header from the old boot (now swap):
dd if=/dev/zero of=/dev/md0 bs=512k count=1

# Initialize and start swap to test everything re. swap works fine:
cryptdisks_start md0_crypt
mkswap /dev/mapper/md0_crypt_unformatted
swapon -a
swapoff -a

# And now, run the most important commands:
cp /boot/grub/grub.cfg /boot/grub/grub.cfg,old
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --force-extra-removable

# Finally, exit chroot and unmount everything:
Ctrl+d          # <-- to exit chroot (may need to run twice to also exit bash)

# So now when you are back in directory /target:
umount proc sys boot/efi
And return to the main menu, and choose "Finish installation".

That's it!

(After rebooting, when you choose the appropriate grub menu entry and enter the encryption key, it is normal if the system waits a good amount of time before continuing to boot.)

And once in the new system, if you did not use a network mirror during installation, you might want to set it up now as follows:
# (Replace USB_STICK with the appropriate device/partition name)
mount /dev/USB_STICK /media/cdrom
apt install apt-transport-https
umount /media/cdrom

# Note a single > below -- it overwrites sources.list (which contains just the
# usb stick (cdrom) entry) with a network mirror address
echo 'deb ascii main' > /etc/apt/sources.list

# Set up network in any way that is needed, and then run:
apt update
apt upgrade --no-install-recommends

# And when you list packages, not counting the header (5 lines) there should be
# 228 packages installed in the default/smallest install.
dpkg -l | wc -l