Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions

15. Now, create the Logical Volumes for /home and /var partitions. Choose Create logical volume -> Press Enter at your Volume Group name -> use the home name for the first Logical Volume -> enter a size for home Logical Volume depending on how much space you want to use for your home partition and hit Continue when you’re done.

Select Logical Volume
Select Logical Volume
Set Volume Group Name
Set Volume Group Name
Create Home Partition
Create Home Partition
Set Size for Home Partition
Set Size for Home Partition

16. Next, repeat the above step in order to create the Logical Volume for /var partition and hit Finish when you’re done to go back to main Partition menu.

Select Logical Volume Type
Select Logical Volume Type
Set Volume Group
Set Volume Group
Create Var Partition
Create Var Partition
Set Var Partition Size
Set Var Partition Size
Finish Partitioning
Finish Partitioning

17. Once returned to the main Partition menu it’s time to configure the LVM partitions settings and mount points. Navigate to #1 home Logical Volume and configure the LVM partition with the following settings:

    1. Use as: Ext4 journaling file system

Mount Point: /home

  • Label: home

 

When you finish hit the Done setting up the partition.

Overview of Current Partition
Overview of Current Partition
Configure Home Mount Point
Configure Home Mount Point

18. Repeat the above steps for #1 var Logical Volume with the following settings:

  1. Use as: Ext4 journaling file system
  2. Mount Point: /var
  3. Label: var

Again, after you finish setting up /var partition hit the Done setting up the partition to return to main Partition menu, review the partitions for a last time, and, if everything is in the right place, move to Finish partitioning and write changes to disk and choose No at the next prompt (Return to partitioning menu) and Yes in order to format the partitions, write changes to disk and continue with the installation process.

Partition Overview
Partition Overview
Create Var Mount Point
Create Var Mount Point
Finish LVM Partitioning
Finish LVM Partitioning
Select Option No
Select Option No
Write Changes to Format Disk
Write Changes to Format Disk

As you can see I’ve not used a swap partition for this tutorial. In case you want to use an encrypted swap partition as well, just create an extra Logical Volume with swap name and use it as Linux swap on Partition settings.

19. That’s all for the partitioning scheme in order to run LVM encrypted partitions on top of an encrypted volume.

After the base system is installed, select a Debian archive mirror country for repositories. If the machine is directly connected to Internet and you do not use a proxy server to gain Internet access, hit on Continue at HTTP proxy information.

Configure Package Manager
Configure Package Manager
Select Location of Repository
Select Location of Repository
Configure HTTP Proxy
Configure HTTP Proxy

20. After the installer will configure the apt repositories a new prompt should appear demanding to participate in the package usage survey. Choose No to continue and select the software you want to install further.

Depending on the final destination of your machine, you can opt for a Graphical User Interface with your favorite Desktop environment (Gnome, Xfce, KDE, Cinnamon, MATE, LXDE) or a server configuration with no GUI.

In any case, choose standard system utilities and SSH if you want to use the machine as a server and hit Continue when you’re done.

Configure Popularity Contest
Configure Popularity Contest
Software Selection
Software Selection

21. After all the required packages are installed on your system, install the GRUB boot loader to your first hard disk (/dev/sda) MBR (Master Boot Record) and wait for the installation process to finish.

Install Grub Loader
Install Grub Loader
Select Grub Loader Location
Select Grub Loader Location

22. After the installation finishes hit Continue to reboot the machine. At the booting process you will be asked to enter the passphrase configured on the installation process in order to unlock the encrypted device and mount the encrypted partitions.

Enter Passphrase
Enter Passphrase

23. In order to automatically unlock and mount the encrypted /home and /var partitions during system boot up, login with root user and create a protected key on /root partition by issuing the following commands:

dd if=/dev/urandom of=cryptkey bs=512 count=1
chmod 700 cryptkey
Auto Mount Encrypted Partitions
Auto Mount Encrypted Partitions

24. After the key has been created, open and edit /etc/crypttab file and replace none parameter with the absolute system path to your key as in the following screenshot:

# nano /etc/crypttab
Add Mount Points
Add Mount Points

25. Next, add the key to encrypted LUKS device by issuing the following command (LUKS can support up to 8 keys or passphrase slots) and verify if the key has been added to slot number 1:

cryptsetup luksAddKey /dev/sda5 /root/cryptkey
cryptsetup luksDump /dev/sda5 
Add Key to Encrypted Luks
Add Key to Encrypted Luks
Encrypted Key
Encrypted Key

That’s it! On the next boot up process, the encrypted partitions will be automatically unlocked and mounted with the below decryption key. All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

Be aware that if you lose the decryption key or you forget the passphrase set during installation process the data stored onto the encrypted partitions cannot be recovered and will be forever lost, so you should take precaution and regular backup data, preferably to an encrypted device also.

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

19 thoughts on “Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions”

  1. Yeah, I’m not convinced automatic decryption works in Debian. If you issue ‘update-initramfs -u -k all’ you get the error, ‘cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.’ which will hang the system at boot.

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409

    They’re dicking around with systemd and can’t get it sorted out so it isn’t clear if you can use a keyscript in Jessie/Stable.

    Reply
  2. >All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

    I’m sorry, how exactly is it gonna be secured from anyone when we’ve just configured these partitions to be mounted automatically without asking the passphrase so anyone will be able to login on our machine and read all the data from these partitions?

    Reply
    • That’s just a simple trick used to decrypt the partitions. I wouldn’t suggest that you should host the key on any of internal hard-disks but you can use an external drive to keep the key secure and plug the drive.

      Reply
  3. If you can boot-up and login to the console check if the / partition is present on fstab (i’m guessing the root partition is not encrypted). Then update the initramfs image with the command ‘update-initramfs -u’

    Reply
  4. Hi, after “update-initramfs -u -k all” the system won’t boot anymore with the error “Unable to find LVM volume hostname-vg/root”. Without that command the passphrase as still asked at boot. Do I need to add anything to /etc/fstab?
    Any other suggestion?

    Reply

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.