Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions

This tutorial will guide you on installing latest release of Debian 8 (codename Jessie) with /home and /var LVM partitions encrypted on top of a LUKS encrypted physical volume.

LUKS, an acronym for Linux Unified Key Setup, offers a standard for Linux hard disk block encryption and stores all the setup data in the partition header. If somehow, the LUKS partition header is tampered, damaged or overwritten in any way, the encrypted data that reside onto this partition is lost.

Still, one of the facilities of using LUKS encryption is that you can use a decryption key on the boot process to automatically unlock, decrypt and mount the encrypted partitions, without the need to always type a prompt passphrase at system boot (especially if you are connecting remotely through SSH).

You might ask, why only encrypt the /var and /home partitions and not the entire file system. One argument would be that /home and /var partitions contain, in most cases, sensitive data. While /home partition stores users data, the /var partition stores databases information (typically MySQL database files are located here), log files, websites data files, mail files and other, information that can be easily accessed once a third-party gains physical access to your hard drives.

Requirements

  1. Debian 8 (Jessie) ISO Image

Installing Debian 8 with LUKS Encrypted /home and /var Partitions

1. Download Debian 8 ISO image and burn it to a CD or create a bootable USB drive. Place the CD/USB in your appropriate drive, power on the machine and instruct the BIOS to boot from the CD/USB drive.

Once the system boots up the Debian installation media, choose Install from the first screen and press Enter key to move forward.

Install Debian 8
Install Debian 8

2. On the next steps, select the Language for the installation process, select your Country, configure your keyboard and wait for other additional components to load.

Select Language
Select Language
Select Location
Select Location
Configure Keyboard
Configure Keyboard

3. On the next step the installer will automatically configure your Network Card Interface in case you provide network settings through a DHCP Server.

If your network segment doesn’t use a DHCP server to automatically configure network interface, on the Hostname screen choose Go Back and manually set your interface IP Addresses.

Once done, type a descriptive Hostname for your machine and a Domain name as illustrated on the below screenshots and Continue with the installation process.

Configure Hostname
Configure Hostname
Configure Domain Name
Configure Domain Name

4. Next, type a strong password for root user and confirm it, then setup the first user account with a different password.

Set Root Password
Set Root Password
Create New User
Create New User
Set User Password
Set User Password

5. Now, setup the clock by selecting your physical nearest time zone.

Configure Time
Configure Time

6. On the next screen choose Manual Partitioning method, select the hard drive that you want to partition and choose Yes to create a new empty partition table.

Manual Partitioning
Manual Partitioning
Select Installation Disk
Select Installation Disk
Create Disk Partition
Create Disk Partition

7. Now it’s time to slice the hard drive into partitions. The first partition that will create will be the /(root) partition. Select the FREE SPACE, hit Enter key and choose Create a new partition. Use at least 8 GB as its size and as Primary partition at the Beginning of the disk.

Select Disk Partition
Select Disk Partition
Create New Partition
Create New Partition
Set Partition Size
Set Partition Size
Select Primary Partition Type
Select Primary Partition Type
Select Partition Location
Select Partition Location

8. Next, configure /(root) partition with the following settings:

  1. Use as: Ext4 journaling file system
  2. Mount Point: /
  3. Label: root
  4. Bootable flag: on

When you have finished setting up the partition choose Done setting up the partition and press Enter to continue further.

Create Root Partition
Create Root Partition
Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

19 thoughts on “Installing Debian 8 (Jessie) with LUKS Encrypted /home and /var Partitions”

  1. Yeah, I’m not convinced automatic decryption works in Debian. If you issue ‘update-initramfs -u -k all’ you get the error, ‘cryptsetup: WARNING: target sdaX_crypt uses a key file, skipped.’ which will hang the system at boot.

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776409

    They’re dicking around with systemd and can’t get it sorted out so it isn’t clear if you can use a keyscript in Jessie/Stable.

    Reply
  2. >All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.

    I’m sorry, how exactly is it gonna be secured from anyone when we’ve just configured these partitions to be mounted automatically without asking the passphrase so anyone will be able to login on our machine and read all the data from these partitions?

    Reply
    • That’s just a simple trick used to decrypt the partitions. I wouldn’t suggest that you should host the key on any of internal hard-disks but you can use an external drive to keep the key secure and plug the drive.

      Reply
  3. If you can boot-up and login to the console check if the / partition is present on fstab (i’m guessing the root partition is not encrypted). Then update the initramfs image with the command ‘update-initramfs -u’

    Reply
  4. Hi, after “update-initramfs -u -k all” the system won’t boot anymore with the error “Unable to find LVM volume hostname-vg/root”. Without that command the passphrase as still asked at boot. Do I need to add anything to /etc/fstab?
    Any other suggestion?

    Reply
  5. After step 25 (add the key to encrypted LUKS device and enter the passphrase) the key is not be added to the slot, but I get a message “Failed to open key file”.
    All previous steps went flawless.
    What went wrong?

    Reply
  6. Hi,

    After the last step, to make the system use the key file, I had to :
    update-initramfs -u -k all

    WIthout this command, the passphrase was still asked at boot time.

    But I’m really wondering… how is it secure to store the key on disk, in the case someone get physical access to your hard drive? If I do this on a netbook, and someone steal it, will he be able to unlock the crypted volume after he found this key file??

    Thanks for the tutorial!

    Reply
  7. Mate, you describe the creation of dm-crypt containers, which are not really LUKS. Try changing the pasword on the volume you create (a trivial operation for LUKS), and let us know how it worked.

    Reply
  8. “All sensitive data stored in /home and /var partitions will be highly secured in case someone gains physical access to your machine hard-drive.”
    –> huummm , seriously ?

    Reply
    • @Lemoidului,
      Yes, what’s wrong here? /home contains important user data and /var contains important server logs, these two partitions needs to be secured..Instead finding out errors in the article, appreciate the author for his work hard..

      Reply
  9. IMHO, having a encrypted partition with the encryption key stored in a clear text partition by its side, is useless. A false sense of security.

    Reply
  10. This is just a very simple and convenient trick to automatically decrypt and load the encrypted volume in case you don’t have any physical access to the machine or it’s impossible to access or tamper with the boot sequence in order to manually supply the passphrase.

    Reply
  11. @Chris: Check if the key has been added to the encrypted device slot by issuing cryptsetup luksDump command.Also, and verify the content of /etc/crypttab file and ensure that the correct key with absolute path has been added.

    Reply
  12. Sorry if I missed something, but… what’s the point of having a encrypted partition and storing the encryption password in a unencrypted partition?

    Reply

Leave a Reply to Quasb Cancel reply

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.