Encrypted /boot & GPT partition table using d-i - full instructions

To: Cyril Brulebois <kibi@debian.org>
Cc: debian-boot@lists.debian.org
Subject: Encrypted /boot & GPT partition table using d-i - full instructions
From: autosend@riseup.net
Date: Fri, 4 Jan 2019 12:53:04 +0000
Message-id: <[🔎] 20190104125304.6weadqmhlzsm3ypz@localhost.0.0.1>
In-reply-to: <20181217154732.bnem27pokm65zsh2@mraw.org>
References: <20181217135518.nsylyphgg4ldbtio@localhost.0.0.1> <20181217154732.bnem27pokm65zsh2@mraw.org>

On Mon, Dec 17, 2018 at 04:47:32PM +0100, Cyril Brulebois wrote:
> Hello,
> 
> autosend@riseup.net <autosend@riseup.net> (2018-12-17):
> > I have managed to find a way to trick the Debian installer into
> > encrypting the /boot partition, so that only the MBR GRUB portion of
> > the hard drive is unencrypted.
> > 
> > This means the password must be input twice at boot, but on the plus
> > side, the Linux kernel lives in /boot, so the system is better
> > protected.
> > 
> > Are you interested in how I did this? I have a full step-by-step guide
> > which I have tried to minimize as much as possible.  I was hoping it
> > could be engineered into a guided installation option.
> > 
> > Note: it only involved one reboot back into the installer environment.
> > 
> > Also, I did it with GPT, which is also something that D-I should
> > support, especially when it comes to encrypted disks (GPT stores a
> > couple backups of the partition table).
> 
> This seems like something that we should support at some point, AFAICT
> grub's cryptodisk support has been around for quite a while, but I've
> never managed to dive into it.
> 
> A step by step guide would certainly be helpful to others, and might be
> a basis for d-i contributors to get involved in implementing this.
> 
> Thanks for your proposal.
> 
> 
> Cheers,
> -- 
> Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
> D-I release manager -- Release team member -- Freelance Consultant



It was quite an effort in reverse engineering, because I couldn't find alot of
documentation on d-i at short notice via search engines, and so I essentially
took a brute-force approach. Haven't tried using preseed files to do this,
because it seems preseed files aren't as simple to load into d-i as dropping one
into the first partition of a USB drive, for example (this is where BIOS
updaters often look for a file, as an example).


OK, here are the full instructions.
Note: this is 'expert install' mode.

1.  Configure partman with 1MB /boot as ext4.
    Configure 2nd partition using 100% of space, and dedicate it as a crypto
      volume.
    Note: the above can be done with fdisk on TTY2, and fdisk is better at using
      up almost 100% of disk space, by default.

    Finish configuring encrypted volume.

2.  Set the configured encrypted volume as the root '/' mount point.
    It can be either an ext4 or XFS filesystem (have not tested others).
    Note: this part must be done via partman so that d-i lets you continue.

3.  Choose to install base system and switch to TTY4
    At the point that d-i attempts to install the kernel and pauses, switch over
    to TTY2 and unmount /target/boot
    # umount /target/boot

4.  Switch back to TTY1, choose kernel to install, and install initramfs.

    If all the above steps have been followed, and no error messages _yet_ then
    now is a good time to setup users, clock, network, etc., if you want to.

5.  Choose to install the GRUB boot loader - it will fail but will at least
    successfully install the GRUB dpkgs.

6.  Switch to TTY2 and chroot into /target
    # chroot /target

7.  Install gdisk and run it on your target hard drive:
    # apt-get install -y gdisk && gdisk /dev/sda
    Note: the above assumes your target install disk is /dev/sda.

    Change the partition type of the 1MB partition to ef02.
    Write the changes to disk.

8.  Exit the chroot, switch to TTY1 and select 'finish installation' - you will
    have to select 'continue without bootloader'.

9.  Reboot, but this time instead of 'expert mode' choose 'rescue mode'.
    Unlock your disk with the LUKS password.
    Enter a shell within the install environment, either by selecting from the
    menu, or by switching to TTY2 and chrooting in.

10. Edit your /etc/default/grub within the target install volume to include the
    line:
    GRUB_ENABLE_CRYPTODISK=y

11. Also run the following from within new install, perhaps twice for good
    measure:
    # grub-mkconfig -o /boot/grub/grub.cfg
    # grub-install /dev/sda
    Note: the above assumes your target install disk is /dev/sda.

12. Delete the /boot line from /etc/fstab within the target install volume.

13. Reboot into a working install, with GPT partition table and encrypted /boot!


Because the above instructions took many many hours to create and minimise, with
so many reboots until I found a working sequence, I'd really really appreciate
it if the above could be adapted into a 'guided installation' option, then
perhaps in the future LVM could be added, once it is stable enough.
Every user of d-i would benefit from the extra security of encrypted /boot, as
well as the extra reliability of a GPT partition table. GRUB has dutifully
supported both for a while now, including Debian stable's version of GRUB.

Note that last time I checked, Red Hat's Fedora was also installing using MBR
partitions without encrypted /boot, so Debian could be ahead of the curve here.

Reply to:

Prev by Date: Bug#918193: flash-kernel: add Seagate Blackarmor NAS220 to machine db
Next by Date: Processed: Bug #918193 in flash-kernel marked as pending
Previous by thread: Bug#918193: marked as done (flash-kernel: add Seagate Blackarmor NAS220 to machine db)
Next by thread: Processed: Re: Bug#902821: qa.debian.org: Asian (JP, CH) input impossible, when locale is not Asian (LANG=en_US, etc)
Index(es):
- Date
- Thread