Last update: Mar 2019 // First created: Mar 2019 Davor Ocelic, firstname.lastname@example.org, http://techpubs.spinlocksolutions.com/ http://techpubs.spinlocksolutions.com/devuan/full-disk-encryption.html
This is a working, up-to-date guide for
installing Devuan GNU+Linux (and probably also Debian GNU and Ubuntu) with
full disk encryption (including /boot) directly during installation phase.
This guide is applicable to debian-installer (e.g. Devuan's netinst ISO image). Other Devuan's installers (i.e. Refracta which is used in the live ISO) has support for encrypted boot by default — simply put everything on an encrypted root partition and it will do the rest.
1) Boot Devuan GNU+Linux installation
2) Choose Expert mode
3) When you get to disk partitioning step, choose Manual. Create a gpt partition table on disk, and then create at least 3 partitions, for example:
1. EFI System Partition, 512 MB 2. Physical volume for RAID, 4GB (During install you will use this as unencrypted /boot partition. Later you will convert it into an encrypted swap partition, so choose size accordingly.) 3. Physical volume for RAID, the rest of disk (You will set this up as an encrypted partition and install the root system on it.)4) Create RAIDs on these two RAID partitions.
# Chdir to the most important place! :) cd /target # <-- important # Move boot/ and boot/efi mounts to /mnt/boot, then copy boot files and efi mount over to the boot/ dir. # The specific way in which this is done is done so that you can work with "mount --bind" rather than having # to remember or look up device names, and so that if this is scripted it just works without needing to # know device names. mkdir /mnt/root /mnt/efi mount --bind . /mnt/root mount --bind boot/efi /mnt/efi umount boot/efi cp -a boot/* /mnt/root/boot umount boot mount --bind /mnt/efi boot/efi umount /mnt/root /mnt/efi # Mount other stuff: # Not necessary to mount --bind /dev because it should already be mounted #mount --bind /dev dev mount --bind /proc proc mount --bind /sys sys # Now, chroot into /target and first edit some files: chroot . bash # <-- for convenience echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub # <-- Must be =y, not =1 !! rm /etc/mtab # <-- Remove stale info vi /etc/fstab # <-- Do one thing here: # Replace line refering to previous /boot partition into a swap partition: # So your line for old-boot should, after you edit it to become swap, look like: # /dev/mapper/md0_crypt_unformatted none swap sw 0 0 vi /etc/crypttab # <-- Do two things here: # Add ',discard' after 'luks' in there if your disk is SSD # Add line for the swap partition # So your content in there after editing should look like: # md1_crypt UUID=... none luks,discard # md0_crypt /dev/md0 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard # Delete header from the old boot (now swap): dd if=/dev/zero of=/dev/md0 bs=512k count=1 # Initialize and start swap to test everything re. swap works fine: cryptdisks_start md0_crypt mkswap /dev/mapper/md0_crypt_unformatted free swapon -a free swapoff -a free # And now, run the most important commands: cp /boot/grub/grub.cfg /boot/grub/grub.cfg,old grub-mkconfig -o /boot/grub/grub.cfg grub-install --force-extra-removable # Finally, exit chroot and unmount everything: Ctrl+d # <-- to exit chroot (may need to run twice to also exit bash) # So now when you are back in directory /target: umount proc sys boot/efiAnd return to the main menu, and choose "Finish installation".
mount /dev/USB_STICK /media/cdrom apt install apt-transport-https umount /media/cdrom # Note a single > below -- it overwrites sources.list (which contains just the # usb stick (cdrom) entry) with a network mirror address echo 'deb https://pkgmaster.devuan.org/merged ascii main' > /etc/apt/sources.list # Set up network, then: apt update apt upgrade --no-install-recommends # And when you list packages, not counting the header (5 lines) there should be # 228 packages installed in the default/smallest install. dpkg -l | wc -l