Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions

15. Now, create the Logical Volumes for /home and /var partitions. Choose Create logical volume -> Press Enter at your Volume Group name -> use the home name for the first Logical Volume -> enter a size for home Logical Volume depending on how much space you want to use for your home partition and hit Continue when you’re done.

Select Logical Volume
Select Logical Volume
Set Volume Group Name
Set Volume Group Name
Create Home Partition
Create Home Partition
Set Size for Home Partition
Set Size for Home Partition

16. Next, repeat the above step in order to create the Logical Volume for /var partition and hit Finish when you’re done to go back to main Partition menu.

Select Logical Volume Type
Select Logical Volume Type
Set Volume Group
Set Volume Group
Create Var Partition
Create Var Partition
Set Var Partition Size
Set Var Partition Size
Finish Partitioning
Finish Partitioning

17. Once returned to the main Partition menu it’s time to configure the LVM partitions settings and mount points. Navigate to #1 home Logical Volume and configure the LVM partition with the following settings:

    1. Use as: Ext4 journaling file system

Mount Point: /home

  • Label: home

 

When you finish hit the Done setting up the partition.

Overview of Current Partition
Overview of Current Partition
Configure Home Mount Point
Configure Home Mount Point

18. Repeat the above steps for #1 var Logical Volume with the following settings:

  1. Use as: Ext4 journaling file system
  2. Mount Point: /var
  3. Label: var

Again, after you finish setting up /var partition hit the Done setting up the partition to return to main Partition menu, review the partitions for a last time, and, if everything is in the right place, move to Finish partitioning and write changes to disk and choose No at the next prompt (Return to partitioning menu) and Yes in order to format the partitions, write changes to disk and continue with the installation process.

Partition Overview
Partition Overview
Create Var Mount Point
Create Var Mount Point
Finish LVM Partitioning
Finish LVM Partitioning
Select Option No
Select Option No
Write Changes to Format Disk
Write Changes to Format Disk

As you can see I’ve not used a swap partition for this tutorial. In case you want to use an encrypted swap partition as well, just create an extra Logical Volume with swap name and use it as Linux swap on Partition settings.

19. That’s all for the partitioning scheme in order to run LVM encrypted partitions on top of an encrypted volume.

After the base system is installed, select a Debian archive mirror country for repositories. If the machine is directly connected to Internet and you do not use a proxy server to gain Internet access, hit on Continue at HTTP proxy information.

Configure Package Manager
Configure Package Manager
Select Location of Repository
Select Location of Repository
Configure HTTP Proxy
Configure HTTP Proxy

20. After the installer will configure the apt repositories a new prompt should appear demanding to participate in the package usage survey. Choose No to continue and select the software you want to install further.

Depending on the final destination of your machine, you can opt for a Graphical User Interface with your favorite Desktop environment (Gnome, Xfce, KDE, Cinnamon, MATE, LXDE) or a server configuration with no GUI.

In any case, choose standard system utilities and SSH if you want to use the machine as a server and hit Continue when you’re done.

Configure Popularity Contest
Configure Popularity Contest
Software Selection
Software Selection

21. After all the required packages are installed on your system, install the GRUB boot loader to your first hard disk (/dev/sda) MBR (Master Boot Record) and wait for the installation process to finish.

Install Grub Loader
Install Grub Loader
Select Grub Loader Location
Select Grub Loader Location

22. After the installation finishes hit Continue to reboot the machine. At the booting process you will be asked to enter the passphrase configured on the installation process in order to unlock the encrypted device and mount the encrypted partitions.

Enter Passphrase
Enter Passphrase

23. In order to automatically unlock and mount the encrypted /home and /var partitions during system boot up, login with root user and create a protected key on /root partition by issuing the following commands:

dd if=/dev/urandom of=cryptkey bs=512 count=1
chmod 700 cryptkey
Auto Mount Encrypted Partitions
Auto Mount Encrypted Partitions

24. After the key has been created, open and edit /etc/crypttab file and replace none parameter with the absolute system path to your key as in the following screenshot:

# nano /etc/crypttab
Add Mount Points
Add Mount Points

25. Next, add the key to encrypted LUKS device by issuing the following command (LUKS can support up to 8 keys or passphrase slots) and verify if the key has been added to slot number 1:

cryptsetup luksAddKey /dev/sda5 /root/cryptkey
cryptsetup luksDump /dev/sda5 
Add Key to Encrypted Luks
Add Key to Encrypted Luks
Encrypted Key
Encrypted Key

That’s it! On the next boot up process, the encrypted partitions will be automatically unlocked and mounted with the below decryption key. All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

Be aware that if you lose the decryption key or you forget the passphrase set during installation process the data stored onto the encrypted partitions cannot be recovered and will be forever lost, so you should take precaution and regular backup data, preferably to an encrypted device also.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

19 Comments

Leave a Reply
  1. Yeah, I’m not convinced automatic decryption works in Debian. If you issue ‘update-initramfs -u -k all’ you get the error, ‘cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.’ which will hang the system at boot.

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409

    They’re dicking around with systemd and can’t get it sorted out so it isn’t clear if you can use a keyscript in Jessie/Stable.

    Reply
  2. >All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

    I’m sorry, how exactly is it gonna be secured from anyone when we’ve just configured these partitions to be mounted automatically without asking the passphrase so anyone will be able to login on our machine and read all the data from these partitions?

    Reply
    • That’s just a simple trick used to decrypt the partitions. I wouldn’t suggest that you should host the key on any of internal hard-disks but you can use an external drive to keep the key secure and plug the drive.

      Reply
  3. If you can boot-up and login to the console check if the / partition is present on fstab (i’m guessing the root partition is not encrypted). Then update the initramfs image with the command ‘update-initramfs -u’

    Reply
  4. Hi, after “update-initramfs -u -k all” the system won’t boot anymore with the error “Unable to find LVM volume hostname-vg/root”. Without that command the passphrase as still asked at boot. Do I need to add anything to /etc/fstab?
    Any other suggestion?

    Reply
  5. After step 25 (add the key to encrypted LUKS device and enter the passphrase) the key is not be added to the slot, but I get a message “Failed to open key file”.
    All previous steps went flawless.
    What went wrong?

    Reply
  6. Hi,

    After the last step, to make the system use the key file, I had to :
    update-initramfs -u -k all

    WIthout this command, the passphrase was still asked at boot time.

    But I’m really wondering… how is it secure to store the key on disk, in the case someone get physical access to your hard drive? If I do this on a netbook, and someone steal it, will he be able to unlock the crypted volume after he found this key file??

    Thanks for the tutorial!

    Reply
  7. Mate, you describe the creation of dm-crypt containers, which are not really LUKS. Try changing the pasword on the volume you create (a trivial operation for LUKS), and let us know how it worked.

    Reply
  8. “All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.”
    –> huummm , seriously ?

    Reply
    • @Lemoidului,
      Yes, what’s wrong here? /home contains important user data and /var contains important server logs, these two partitions needs to be secured..Instead finding out errors in the article, appreciate the author for his work hard..

      Reply
  9. IMHO, having a encrypted partition with the encryption key stored in a clear text partition by its side, is useless. A false sense of security.

    Reply
  10. This is just a very simple and convenient trick to automatically decrypt and load the encrypted volume in case you don’t have any physical access to the machine or it’s impossible to access or tamper with the boot sequence in order to manually supply the passphrase.

    Reply
  11. @Chris: Check if the key has been added to the encrypted device slot by issuing cryptsetup luksDump command.Also, and verify the content of /etc/crypttab file and ensure that the correct key with absolute path has been added.

    Reply
  12. Sorry if I missed something, but… what’s the point of having a encrypted partition and storing the encryption password in a unencrypted partition?

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.