These instructions were tested, and re-tested multiple times on devuan_ascii_2.0.0-rc_i386_dvd-1 on bare metal. They worked fine, but they magically stopped working, and so I'm giving up on this technology; it's too fucking hard to use.
Computer security: Devuan + dm-crypt >
Devuan's installer has an encryption feature, but it formats your whole hard drive and uses LVM, neither of which I want.
- Given a hard drive which has regular partitioning and not LVM.
-
Where a
/
(root) partition is encrypted (dm-crypt) and in use.- Such as with an earlier release of Devuan
-
Install Devuan, re-using the encrypted partition without re-encrypting/formatting from scratch.
Note - I will be writing separate instructions on how to manually make and manage encrypted partitions.
For more information on encryption, see dm-crypt.
- TODO - I had network driver issues on a new motherboard.
- Tested 2019-02-24 on my Dell Inspiron 11 3180, but
- TODO - I had issues reproducing these instructions on my existing desktop when reinstalling without a network connection.
-
Tested 2018-11-24 and beforehand on my desktop.
Preparation ∞
As with anything, make backups first.
- Turn off your computer
- Remove any non-essential drives
- Insert your USB stick
- Turn on your computer
-
Devuan GNU/Linux installer boot menu:
- Graphical install
-- (if it seems to do nothing, just wait)
- Graphical install
Phase one - Installer basics ∞
-
Select a language
- English
-
Select your location
- United States
-
Configure the keyboard
- American English
-
Configure the network
- (do nothing yet)
- Press
Control-Alt-F2
to get to a console, and pressenter
to log into it.
Phase two - Create/open encrypted partition ∞
See create∕open encrypted partition.sh
Press Alt-F5
.
Installer basics, continued ∞
-
Configure the network
- (your choices)
-
Set up users and passwords
- Root password: (your choice)
- Re-enter password to verify: (your choice)
- (repeat for a user, if you like)
-
Configure the clock
- Select your time zone: (your choice)
-
Partition disks
- Manual
From here you're selecting your boot and encrypted partitions...
Partition disks ∞
unencrypted boot partition ∞
Select the partition you want to use as /boot
, then continue
.
-
Name
- boot
-
Use as
- Ext4 file system
-
Format the partition
- yes, format it
-
Mount point
/boot
-
Mount options
- [x] noatime
- [x] nodiratime
- TODO - should I noexec or other options?
-
Label
- boot
(Done setting up the partition)
encrypted root partition ∞
Select the one that has Encrypted volume
. It will look something like this:
Encrypted volume (sda3_crypt) - 4.0 TB Linux device-mapper (crypt) > #1 4.0 TB ext4
Select it, then continue
.
- If you created a new encrypted partition, you will be prompted with "Create a new empty partition table on this device?". Say yes.
-
Use as
- Ext4 file system
-
Format the partition
- no, keep existing data
-
Mount point
/
-
Mount options
- [x] noatime
- [x] nodiratime
- TODO - I believe the "discard" option is for an SSD.
-
(Done setting up the partition)
Warning - If you don't see "format the partition", then something is odd and you must not continue. I've seen this problem come and go, and only by carefully following these instructions have I been able to get it to appear.
Continuing the install ∞
-
Partition disks
- Finish partitioning and write changes to disk
-
Partition disks: re. the swap
- I don't use a swap partition. If I did, I would encrypt it which would require typing in a second password every bootup. A swap partition would also allow for hibernation (suspend-to-disk).
- (o) No
- (_) Yes
-
Write the changes to disks?
- (_) No
- (o) Yes
- Warning - Make damned sure you understand what's being done!
Final steps ∞
Install the base system
-
Configure the package manager
- Use a network mirror?
-- (your choice)
-- I find it odd to be asked this if I do an install without networking set up.
- Use a network mirror?
-
Configuring popularity-contest
- Participate in the package usage survey?
-- (your choice)
- Participate in the package usage survey?
-
Note: If you have a network connection while it's installing, it appears to automatically download packages.
Software selection
Choose software to install:
(your choices, but I do this):
- [x] Devuan desktop environment
- [_] ... Xfce (Default)
- [_] ... MATE
- [_] ... KDE
- [_] web server
- [_] print server
- [_] ssh server
-
[x] standard system utilities
Curiously, when connected to the internet during this installation process, I get additional choices: LXQt, Console productivity.
Personally I install MATE and then uninstall it and set up my own stuff, but you can easily break your system doing this (I have).
(If you are prompted to choose a login manager, pick what you like.)
Install the GRUB boot loader on a hard disk:
-
Install the GRUB boot loader to the master boot record?
- (_) No
- (o) Yes
-
Device for boot loader installation:
/dev/sda
Post-install manual work ∞
(Boot from your USB drive again)
Devuan GNU/Linux installer boot menu
-
Advanced options
- Graphical rescue mode
-- (if it seems to do nothing, just wait)
- Graphical rescue mode
-
Select a language
- English
-
Select your location
- United States
-
Configure the keyboard
- American English
-
Configure the network
- (your choice)
- Hostname: (your choice)
Enter rescue mode
-
Passphrase for
/dev/sda3
- (your password)
-
Device to use as root file system
/dev/mapper/sda3_crypt
- FIXME - this stopped working!
-- While I can unlock it, I can't mount it. I don't know why; it's not in use.
-
Mount separate /boot partition?
- (_) No
- (o) Yes
-
Rescue operations
- Execute a shell in
/dev/mapper/sda3_crypt
- Execute a shell in
bash # You may need -f10 or -f11. Check which one of these gives you a UUID. TODO - is there a better way? # ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 # ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f11 ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 >> /etc/crypttab nano /etc/crypttab
You want to craft a line like this:
sda3_crypt UUID=(YOUR CODE) none luks
For more, see https://www.freedesktop.org/software/systemd/man/crypttab.html
update-initramfs -k all -c -t
(You will get some warnings; don't worry.)
exit exit
-
Rescue operations
- Reboot the system
(remove the USB key as it reboots)
The system should now be working as-expected. You will now be prompted for a password on bootup.
pushed a script into git to workaround a blogtext bug