15. Now, create the Logical Volumes for
/var partitions. Choose Create logical volume -> Press Enter at your Volume Group name -> use the home name for the first Logical Volume -> enter a size for home Logical Volume depending on how much space you want to use for your home partition and hit Continue when you’re done.
16. Next, repeat the above step in order to create the Logical Volume for
/var partition and hit Finish when you’re done to go back to main Partition menu.
17. Once returned to the main Partition menu it’s time to configure the LVM partitions settings and mount points. Navigate to #1 home Logical Volume and configure the LVM partition with the following settings:
- Use as: Ext4 journaling file system
Mount Point: /home
- Label: home
When you finish hit the Done setting up the partition.
18. Repeat the above steps for #1 var Logical Volume with the following settings:
- Use as: Ext4 journaling file system
- Mount Point: /var
- Label: var
Again, after you finish setting up
/var partition hit the Done setting up the partition to return to main Partition menu, review the partitions for a last time, and, if everything is in the right place, move to Finish partitioning and write changes to disk and choose No at the next prompt (Return to partitioning menu) and Yes in order to format the partitions, write changes to disk and continue with the installation process.
As you can see I’ve not used a swap partition for this tutorial. In case you want to use an encrypted swap partition as well, just create an extra Logical Volume with swap name and use it as Linux swap on Partition settings.
19. That’s all for the partitioning scheme in order to run LVM encrypted partitions on top of an encrypted volume.
After the base system is installed, select a Debian archive mirror country for repositories. If the machine is directly connected to Internet and you do not use a proxy server to gain Internet access, hit on Continue at HTTP proxy information.
20. After the installer will configure the apt repositories a new prompt should appear demanding to participate in the package usage survey. Choose No to continue and select the software you want to install further.
Depending on the final destination of your machine, you can opt for a Graphical User Interface with your favorite Desktop environment (Gnome, Xfce, KDE, Cinnamon, MATE, LXDE) or a server configuration with no GUI.
In any case, choose standard system utilities and SSH if you want to use the machine as a server and hit Continue when you’re done.
21. After all the required packages are installed on your system, install the GRUB boot loader to your first hard disk
(/dev/sda) MBR (Master Boot Record) and wait for the installation process to finish.
22. After the installation finishes hit Continue to reboot the machine. At the booting process you will be asked to enter the passphrase configured on the installation process in order to unlock the encrypted device and mount the encrypted partitions.
23. In order to automatically unlock and mount the encrypted
/var partitions during system boot up, login with root user and create a protected key on
/root partition by issuing the following commands:
dd if=/dev/urandom of=cryptkey bs=512 count=1 chmod 700 cryptkey
24. After the key has been created, open and edit
/etc/crypttab file and replace none parameter with the absolute system path to your key as in the following screenshot:
# nano /etc/crypttab
25. Next, add the key to encrypted LUKS device by issuing the following command (LUKS can support up to 8 keys or passphrase slots) and verify if the key has been added to slot number 1:
cryptsetup luksAddKey /dev/sda5 /root/cryptkey cryptsetup luksDump /dev/sda5
That’s it! On the next boot up process, the encrypted partitions will be automatically unlocked and mounted with the below decryption key. All sensitive data stored in
/var partitions will be highly secured in case someone gains physical access to your machine hard-drive.
Be aware that if you lose the decryption key or you forget the passphrase set during installation process the data stored onto the encrypted partitions cannot be recovered and will be forever lost, so you should take precaution and regular backup data, preferably to an encrypted device also.