Re: Dual-Boot w/ encryption

To: debian-security@lists.debian.org
Subject: Re: Dual-Boot w/ encryption
From: "H." <osterd@gmx.de>
Date: Tue, 17 May 2016 17:22:03 +0200
Message-id: <[🔎] 20160517172203.02a80573@Secure>
In-reply-to: <[🔎] CAPYZEwTDOQavPADsO50CpWgmh_w9tO70mP+kgB7yq-E4dtBwnQ@mail.gmail.com>
References: <[🔎] CAJJ2v1Vnk-xzrpATnZnMNN4grOc1++-odLxmqAwrPzFT+fV=1A@mail.gmail.com> <[🔎] 1463491910.3478.0.camel@marupa.net> <[🔎] CAPYZEwTDOQavPADsO50CpWgmh_w9tO70mP+kgB7yq-E4dtBwnQ@mail.gmail.com>

Hey,
I'm using this setup frequently. First I'd advice you to get familiar with how
to set up a single fully encrypted disk. You should know if you want two
cryptfs each in a single partition and then your LVM or common disk layout
inside each of the cryptfs partitions or if you want to have an lvm on top.

Then what you could do very easily:
Backup you important data. Resize your current installation/partition so that
you have some disk space available. (Note you have to resize the file-system,
the lvm - if present - and the cryptsetup partition. You can find multiple
links on how to do each step.)

Next boot from the Debian Installation medium, proceed till you have to set up
your disk layout. Create a new home partition and - for the sake of simplicity -
an extra boot partition. But don't set the bootable flag for it. You will still
use your initial bootpartition to boot the whole setup. Having a separate boot
partition for every setup just avoids broken initrd/vmlinuz images,
resulting e.g. from using different kernels/systemd-modules in the different
installations.

Now proceed as usual but install grub to the newly created boot partition,
e.g. /dev/sdX3 - mind to provide a partition number.

Finally restart and boot into your already present installation. The new
installation is not found yet, b/c you haven't rebuild the grub config.

This you can do as follows:

As root do:
cryptsetup luksOpen /dev/sdX2 oldRoot
(vgscan)
(vgchange -ay)
mkdir /tmp/{bootNew,rootNew}
mount /dev/mapper/... 	/tmp/rootNew
mount /dev/sdX3 	/tmp/bootNew
# The name presented in /dev/mapper depends on whether or not you use LVM.
# Check with lsblk and fdisk -l if you are unsure. Mount the ext4 partition
# containing your new root and the new boot partition.
Now run:
update-grub2
to rebuild your grub config.

Eventually you also have to use "update-initrd -u".

So actually the only thing you have to watch from now on is to mount the new
installation, when you perform a kernel upgrade/regenerate the grub-config on
the old system. Otherwise the startup entry would vanish.

Of course you could also copy-paste the section for the new system
from /boot/grub/grub.cfg to /boot/grub.d/40_custom.

That way you add this static information on every grub-config rebuild. But the
setup will break if were ever to change your disk layout. In that case you
would have to proceed as stated above. (I.e. just the regeneration part.)

Best
H.

Reply to:

References:
- Dual-Boot w/ encryption
  - From: Ralph Sanchez <rwsanchez3@gmail.com>
- Re: Dual-Boot w/ encryption
  - From: Yaro Kasear <yaro@marupa.net>
- Dual-Boot w/ encryption
  - From: Kenneth Jensen <kennethjensenb@gmail.com>

Prev by Date: Re: Dual-Boot w/ encryption
Next by Date: Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
Previous by thread: Dual-Boot w/ encryption
Next by thread: Re: Dual-Boot w/ encryption
Index(es):
- Date
- Thread