These instructions were tested, and re-tested multiple times on devuan_ascii_2.0.0-rc_i386_dvd-1 on bare metal. They worked fine, but they magically stopped working, and so I'm giving up on this technology; it's too fucking hard to use.

Devuan's installer has an encryption feature, but it formats your whole hard drive and uses LVM, neither of which I want.

Given a hard drive which has regular partitioning and not LVM.
Where a / (root) partition is encrypted (dm-crypt) and in use.
- Such as with an earlier release of Devuan
Install Devuan, re-using the encrypted partition without re-encrypting/formatting from scratch.

Note - I will be writing separate instructions on how to manually make and manage encrypted partitions.

For more information on encryption, see dm-crypt.

TODO - I had network driver issues on a new motherboard.
Tested 2019-02-24 on my Dell Inspiron 11 3180, but
TODO - I had issues reproducing these instructions on my existing desktop when reinstalling without a network connection.
Tested 2018-11-24 and beforehand on my desktop.

Table of Contents [hide]

1 Preparation
2 Phase one - Installer basics
3 Phase two - Create/open encrypted partition
4 Installer basics, continued
5 Partition disks
- 5.1 unencrypted boot partition
- 5.2 encrypted root partition
6 Continuing the install
7 Final steps
8 Post-install manual work

Preparation ∞

As with anything, make backups first.

Turn off your computer
Remove any non-essential drives
Insert your USB stick
Turn on your computer
Devuan GNU/Linux installer boot menu:
- Graphical install
  -- (if it seems to do nothing, just wait)

Phase one - Installer basics ∞

Select a language
- English
Select your location
- United States
Configure the keyboard
- American English
Configure the network
- (do nothing yet)
- Press Control-Alt-F2 to get to a console, and press enter to log into it.

Phase two - Create/open encrypted partition ∞

See create∕open encrypted partition.sh

Press Alt-F5.

Installer basics, continued ∞

Configure the network
- (your choices)
Set up users and passwords
- Root password: (your choice)
- Re-enter password to verify: (your choice)
- (repeat for a user, if you like)
Configure the clock
- Select your time zone: (your choice)
Partition disks
- Manual

From here you're selecting your boot and encrypted partitions...

Partition disks ∞

unencrypted boot partition ∞

Select the partition you want to use as /boot, then continue.

Name
- boot
Use as
- Ext4 file system
Format the partition
- yes, format it
Mount point
- /boot
Mount options
- [x] noatime
- [x] nodiratime
- TODO - should I noexec or other options?
Label
- boot

(Done setting up the partition)

encrypted root partition ∞

Select the one that has Encrypted volume. It will look something like this:

Encrypted volume (sda3_crypt) - 4.0 TB Linux device-mapper (crypt)
  >  #1    4.0 TB   ext4

Select it, then continue.

If you created a new encrypted partition, you will be prompted with "Create a new empty partition table on this device?". Say yes.
Use as
- Ext4 file system
Format the partition
- no, keep existing data
Mount point
- /
Mount options
- [x] noatime
- [x] nodiratime
- TODO - I believe the "discard" option is for an SSD.
(Done setting up the partition)

Warning - If you don't see "format the partition", then something is odd and you must not continue. I've seen this problem come and go, and only by carefully following these instructions have I been able to get it to appear.

notes

I don't know if it's a bug or something I've done, but I also saw this line:

10 partman-crypto/text/erase_data_partition doesn't exist

Continuing the install ∞

Partition disks
- Finish partitioning and write changes to disk
Partition disks: re. the swap
- I don't use a swap partition. If I did, I would encrypt it which would require typing in a second password every bootup. A swap partition would also allow for hibernation (suspend-to-disk).
- (o) No
- (_) Yes

Proceed with installation to unclean target?

Note: If you get "Proceed with installation to unclean target?" you may want to manually delete your installation to make sure things are nice and clean. No instructions have been provided for this, but you can use a shell, mount it and delete the directories you want.

If I try to proceed anyway, I get errors:

(Syslog)

Install the base system
Base system installation error
The debootstrap program exited with an error (return value 1).
Check /var/log/syslog or see virtual console 4 for the details.

Checking console 4, I saw:

debootstrap: tar: can't open './etc/libaudit.conf': File exists
debootstrap: xzcat: short write

.. which means that no, it cannot actually perform an unclean installation.

To manually delete an old installation, I do:

rm -rf .config bin boot dev etc lib media mnt opt proc run sbin srv tmp usr var
rm -f .bash_history initrd.img initrd.img.old vmlinuz vmlinuz.old

Danger - Don't run these commands idly!

Write the changes to disks?
- (_) No
- (o) Yes
- Warning - Make damned sure you understand what's being done!

Final steps ∞

Spoiler

Annoyingly, it'll pause it's install in a few places to ask you things. It would be far more convenient if it asked you everything up-front, but that's impossible since this additional activity is prompted only by the initialization of the installation of those packages.

Install the base system

Configure the package manager
- Use a network mirror?
  -- (your choice)
  -- I find it odd to be asked this if I do an install without networking set up.
Configuring popularity-contest
- Participate in the package usage survey?
  -- (your choice)
Note: If you have a network connection while it's installing, it appears to automatically download packages.

Software selection
Choose software to install:

(your choices, but I do this):

[x] Devuan desktop environment
[_] ... Xfce (Default)
[_] ... MATE
[_] ... KDE
[_] web server
[_] print server
[_] ssh server
[x] standard system utilities

Curiously, when connected to the internet during this installation process, I get additional choices: LXQt, Console productivity.

Personally I install MATE and then uninstall it and set up my own stuff, but you can easily break your system doing this (I have).

(If you are prompted to choose a login manager, pick what you like.)

Install the GRUB boot loader on a hard disk:

Install the GRUB boot loader to the master boot record?
- (_) No
- (o) Yes
Device for boot loader installation:
- /dev/sda

Post-install manual work ∞

(Boot from your USB drive again)

Devuan GNU/Linux installer boot menu

Advanced options
- Graphical rescue mode
  -- (if it seems to do nothing, just wait)
Select a language
- English
Select your location
- United States
Configure the keyboard
- American English
Configure the network
- (your choice)
- Hostname: (your choice)

Enter rescue mode

Passphrase for /dev/sda3
- (your password)
Device to use as root file system
- /dev/mapper/sda3_crypt
- FIXME - this stopped working!
  -- While I can unlock it, I can't mount it. I don't know why; it's not in use.
Mount separate /boot partition?
- (_) No
- (o) Yes
Rescue operations
- Execute a shell in /dev/mapper/sda3_crypt

bash

# You may need -f10 or -f11.  Check which one of these gives you a UUID.  TODO - is there a better way?
# ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10
# ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f11
ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 >> /etc/crypttab
nano /etc/crypttab

You want to craft a line like this:

sda3_crypt  UUID=(YOUR CODE)  none  luks

For more, see https://www.freedesktop.org/software/systemd/man/crypttab.html

update-initramfs -k all -c -t

(You will get some warnings; don't worry.)

fstab

Check /etc/fstab and make sure one of your lines is something like the following. Pay attention to make sure "sda3_crypt" is named in full:

/dev/mapper/sda3_crypt  /  ext4  noatime,nodiratime,errors=remount-ro  0  1

exit
exit

Rescue operations
- Reboot the system

(remove the USB key as it reboots)

The system should now be working as-expected. You will now be prompted for a password on bootup.

spiralofhope

Encryption without LVM on Devuan