How to install with encrypted root?

To: debian-boot@lists.debian.org
Subject: How to install with encrypted root?
From: Christian Jaeger <chrjae@gmail.com>
Date: Tue, 7 Jun 2011 23:21:58 -0400
Message-id: <[🔎] BANLkTikTLiGkj+03a30AknND66CWX8oYGA@mail.gmail.com>

Hi

This is what I want:

/boot   unencrypted
/usr    unencrypted
/       encrypted
swap    encrypted

The simplest way to try to achieve this (on a netbook) seems to be:

- get debian-6.0.1a-i386-CD-1.iso, write it to a USB flash stick using
unetbootin, boot the graphical installer from it

- choose "manual" in the partitioner,
  * delete all existing partitions
  * create partition and set it up to be ext3 for /boot
  * create partition and set it up to be ext4 for /usr
  * create big partition and set it up for crypt usage
  * create small partition and set it up for crypt usage
  * choose "set up crypt volumes" (or so),
    - say no to "overwrite with random data" (too slow for me;
actually I went to a console and used "fastrandom"[1] to overwrite
them)
    - give password (2*2 times, twice for each of the two encrypted partitions)
  * set up the big crypted partition to be ext4 for /
  * set up the small crypted partition to be swap

- let it install the base system; when it says "No installable kernel
was found in the defined APT sources", go to the console, run
  # chroot /target
  # vi /etc/apt/sources.list
  (file is empty, insert sources)
  # apt-get update
  # apt-get install linux-image-686

- let the installer continue; when it says
    apt configuration problem
    An attempt to configure apt to install additional packages from
the CD failed.
  just confirm that it should fetch things from the net
  (at that point it will replace sources.list with its own)

- let it install into the MBR; let it reboot, remove the USB flash
stick; after letting grub boot the default entry, and after waiting
~30-45 seconds for the initrd to time out waiting for the root volume
to appear, when thrown to the emergency shell, type this (I've had
this problem on another laptop of mine where I installed Squeeze when
it was testing, already):
  # cryptsetup luksOpen /dev/sda4 sda4_crypt
  command cryptsetup not found

Oh wait, now it doesn't even have cryptsetup in the initrd. Well, no
fun, go write GRML to the USB flash stick and boot from that.

Now, what I'm not sure is how to make Debian create a new initrd that
*does* contain cryptsetup. (And, in addition, preferably also knows to
ask for the password automatically, unlike the state of affairs on my
previously mentioned laptop.) How do I do that?

Thanks,
Christian.

Reply to:

Follow-Ups:
- Re: How to install with encrypted root?
  - From: Christian Jaeger <chrjae@gmail.com>

Prev by Date: Debian installer build: failed or old builds
Next by Date: Bug#629615: Freeze at PCMCIA Detection
Previous by thread: Bug#629583: more info
Next by thread: Re: How to install with encrypted root?
Index(es):
- Date
- Thread