full disk encryption on debian 9
April 14, 2017

what I have

• grml-2017.06.iso on a usb-stick (Kernel 4.9)

• old Data from an BIOS installation -> Debian 9 (Kernel 4.9)

what I want:

• a fully encrypted system (including /boot) with UEFI-Boot

• btrfs with subvolumes

1. create Partitions using gdisk

On UEFI-Systems you have to use gpt partitions and create a UEFI partition.

/dev/sda1   512M    type EF00 # UEFI partition
/dev/sda2   X       type 8300 # DM-CRYPT-LUKS
/dev/sda3   Y       type 8200 # SWAP

mkfs.vfat /dev/sda1

2. create LuskContainer

The second partition is used for a LUKS-container:

cryptsetup luksFormat /dev/sda2

3 .map the container and create btrfs on top of it

cryptsetup luksOpen /dev/sda2 sda2_crypt

mkfs.btrfs -L system /dev/mapper/sda2_crypt

4. mount and create subvolumes

mount /dev/mapper/sda2_crypt /target

btrfs subvolume create /target/@            -> later mounted to /
btrfs subvolume create /target/@home        -> later mounted to /home
btrfs subvolume create /target/@var         -> later mounted to /var
btrfs subvolume create /target/@snapshots   -> later mounted to /.snapshots

5. mount new subvolumes

umount /target

mount -o subvol=@ /dev/mapper/sda2_crypt /mnt/NEW-SYSTEM

mkdir /target/{home,var,.snapshots}

mount -o subvol=@home       /dev/mapper/sda2_crypt /target/home
mount -o subvol=@var        /dev/mapper/sda2_crypt /target/var
mount -o subvol=@snapshots  /dev/mapper/sda2_crypt /target/.snapshots

6. set default subvolume (mounted if no subvol option given)

Get the volumed ids:

btrfs subvolume list -p /target

Set the default subvolume:

btrfs subvolume set-default VOL-ID /target

7. copy old files

mount -o ro /dev/OLD_DEVICE /source

rsync -aAHX --info=progress2 --exclude={"/proc/*","/sys/*","/run/*","/var/run/*", \
                                        "/dev/*","/tmp/*"} /source/ /target/

8. mount EFI partition and prepare chroot environment

mkdir /target/boot/efi

mount /dev/sda1 /target/boot/efi

sudo mount --bind /dev  /target/dev
sudo mount --bind /proc /target/proc
sudo mount --bind /sys  /target/sys

chroot /target

If your old System was installed on a BIOS-System, you need to have to install the grub2 version needed for efi systems.

apt-get install grub-efi-amd64

9. modify the fstab and cryptab

example /etc/crypttab:

sda2_crypt  UUID=9c562dde-650d-4de9-9462-faf22d75fea5    luks,discard

example /etc/fstab:

proc                    /proc       proc    defaults                            0       0
/dev/mapper/sda2_crypt  /           btrfs   subvol=@,defaults,noatime           0       0
/dev/sda3               none        swap    sw                                  0       0

UUID=X                  /home       btrfs   subvol=@home,defaults,noatime       0       0
UUID=X                  /var        btrfs   subvol=@var,defaults,noatime        0       0
UUID=X                  /.snapshots btrfs   subvol=@snapshots,defaults,noatime  0       0

UUID=Y                  /boot/efi   vfat    rw                                  0       0

10. modify grub settings

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub

sudo grub-install --target=x86_64-efi --efi-directory /boot/efi --bootloader=debian \
                  --boot-directory=/boot/efi/EFI/debian --recheck

sudo grub-mkconfig -o /boot/efi/EFI/debian/grub/grub.cfg

sudo update-initramfs -u -k all

11. boot into your new system

You have to enter the luks-key two times, one time for grub and one time for Linux.

ToDo

• swap device encryption
• german keymap for grub
• using keyfile in initramfs