Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions

9. Now it’s time to create the encrypted partition that will be the physical volume for encryption on top of which the LVM /var and /home partition will reside.

To do that, first choose the remaining FREE SPACE -> Create a new partition -> leave the partition size with the default value -> make it a Logical partition -> Use it as Physical volume for encryption -> Done setting up the partition.

Use the below screenshots as a guidance for this steps.

Create Encrypted Partition
Create Encrypted Partition
Create New Encrypted Partition
Create New Encrypted Partition
Enter Partition Size
Enter Partition Size
Set Primary Partition
Set Primary Partition
Select Encryption Type
Select Encryption Type
Encrypted Partition Summary
Encrypted Partition Summary

10. After the Physical volume for encryption has been created it’s time to configure the Encrypted volumes. If you have other partitions or hard drives that you want to use for encryption, now it’s time to create them all by repeating the above steps for each partition on hard drives.

To move forward, next select Configure encrypted volumes and hit on Yes to write the changes to disk and start configure encrypted volumes.

Configure Encrypted Volumes
Configure Encrypted Volumes
Write Changes to Disk
Write Changes to Disk

11. On the next screen choose Create encrypted volumes and choose the devices (partitions) to encrypt. If you have a hard time to recognize the correct devices that will be used for encryption after their partition number or size, just look after a crypto word at the end of each listed partition.

To select the partitions use up and down keys to navigate and press the space key to select the appropriate partitions and an asterisk should appear on the selected device. When you’re done with devices selection, hit the Tab key to jump on Continue and press Enter key to move forward and Finish.

Create Encrypted Volume
Create Encrypted Volume
Select Partition To Encrypt
Select Partition To Encrypt
Finish Encrypted Partition
Finish Encrypted Partition

12. On the next screen the installer will ask you whether you want to erase the data on the encrypted partitions. Depending on your available time or if the hard disk it’s new and has just been partitioned, so it does not contain any data, choose No and provide a strong passphrase for the encrypted volume.

When you’re done with the passphrases hit Continue to return to main Partition menu and configure LVM volumes further.

Erase Data on Partition
Erase Data on Partition
Set Encrypted Passphrase
Set Encrypted Passphrase
Confirm Passphrase
Confirm Passphrase

13. Once you have returned at the main Partition menu, it’s time to create the LVM partitions for /home and /var on top of the encrypted volume.

Next, select Configure the Logical Volume Manager and confirm (Yes) the new write changes to disk.

Configure Logical Volumes
Configure Logical Volumes
Write Changes to LVM
Write Changes to LVM

14. On the next step create a Volume Group using a descriptive name for this VG (for my setup I’ve used the name Jessie) and select the encrypted device (partition) that will be a part of the VG by pressing the space key. To jump to Continue menu press the Tab key.

Create Volume Group
Create Volume Group
Set Volume Group Name
Set Volume Group Name
Select Device for New Volume
Select Device for New Volume
If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

19 thoughts on “Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions”

  1. Yeah, I’m not convinced automatic decryption works in Debian. If you issue ‘update-initramfs -u -k all’ you get the error, ‘cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.’ which will hang the system at boot.

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409

    They’re dicking around with systemd and can’t get it sorted out so it isn’t clear if you can use a keyscript in Jessie/Stable.

    Reply
  2. >All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

    I’m sorry, how exactly is it gonna be secured from anyone when we’ve just configured these partitions to be mounted automatically without asking the passphrase so anyone will be able to login on our machine and read all the data from these partitions?

    Reply
    • That’s just a simple trick used to decrypt the partitions. I wouldn’t suggest that you should host the key on any of internal hard-disks but you can use an external drive to keep the key secure and plug the drive.

      Reply
  3. If you can boot-up and login to the console check if the / partition is present on fstab (i’m guessing the root partition is not encrypted). Then update the initramfs image with the command ‘update-initramfs -u’

    Reply
  4. Hi, after “update-initramfs -u -k all” the system won’t boot anymore with the error “Unable to find LVM volume hostname-vg/root”. Without that command the passphrase as still asked at boot. Do I need to add anything to /etc/fstab?
    Any other suggestion?

    Reply

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.