Encryption without LVM on Devuan

2018-11-24
, , , ,

These instructions were tested, and re-tested multiple times on devuan_ascii_2.0.0-rc_i386_dvd-1 on bare metal. They worked fine, but they magically stopped working, and so I'm giving up on this technology; it's too fucking hard to use.

Computer security: Devuan + dm-crypt >

Devuan's installer has an encryption feature, but it formats your whole hard drive and uses LVM, neither of which I want.

  • Given a hard drive which has regular partitioning and not LVM.

  • Where a / (root) partition is encrypted (dm-crypt) and in use.

    • Such as with an earlier release of Devuan

  • Install Devuan, re-using the encrypted partition without re-encrypting/formatting from scratch.

    Note - I will be writing separate instructions on how to manually make and manage encrypted partitions.

For more information on encryption, see dm-crypt.

  • TODO - I had network driver issues on a new motherboard.
  • Tested 2019-02-24 on my Dell Inspiron 11 3180, but
  • TODO - I had issues reproducing these instructions on my existing desktop when reinstalling without a network connection.

  • Tested 2018-11-24 and beforehand on my desktop.

Table of Contents [hide]

Preparation

As with anything, make backups first.

  • Turn off your computer
  • Remove any non-essential drives
  • Insert your USB stick
  • Turn on your computer

  • Devuan GNU/Linux installer boot menu:

    • Graphical install
      -- (if it seems to do nothing, just wait)

Phase one - Installer basics

  • Select a language

    • English

  • Select your location

    • United States

  • Configure the keyboard

    • American English

  • Configure the network

    • (do nothing yet)
    • Press Control-Alt-F2 to get to a console, and press enter to log into it.

Phase two - Create/open encrypted partition 

partition=sda3

dev=/dev/$partition
name=${partition}_crypt
anna-install cryptsetup-udeb partman-crypto-dm
depmod -a
# If you don't have an encrypted partition, you can make one with:
# cryptsetup -y luksFormat  $dev
cryptsetup -v luksOpen $dev $name
# If you want, you can mount and interact with the partition.
# However, to do that you need to proceed a little further in the install before coming back to this shell.
#mkdir /$name
#mount /dev/mapper/$name /$name

Press Alt-F5.

Installer basics, continued

  • Configure the network

    • (your choices)

  • Set up users and passwords

    • Root password: (your choice)
    • Re-enter password to verify: (your choice)
    • (repeat for a user, if you like)

  • Configure the clock

    • Select your time zone: (your choice)

  • Partition disks

    • Manual

From here you're selecting your boot and encrypted partitions...

Partition disks

unencrypted boot partition

Select the partition you want to use as /boot, then continue.

  • Name

    • boot

  • Use as

    • Ext4 file system

  • Format the partition

    • yes, format it

  • Mount point

    • /boot

  • Mount options

    • [x] noatime
    • [x] nodiratime
    • TODO - should I noexec or other options?

  • Label

    • boot

(Done setting up the partition)

encrypted root partition

Select the one that has Encrypted volume. It will look something like this:

Encrypted volume (sda3_crypt) - 4.0 TB Linux device-mapper (crypt)
  >  #1    4.0 TB   ext4

Select it, then continue.

  • If you created a new encrypted partition, you will be prompted with "Create a new empty partition table on this device?". Say yes.

  • Use as

    • Ext4 file system

  • Format the partition

    • no, keep existing data

  • Mount point

    • /

  • Mount options

    • [x] noatime
    • [x] nodiratime
    • TODO - I believe the "discard" option is for an SSD.

  • (Done setting up the partition)

    Warning - If you don't see "format the partition", then something is odd and you must not continue. I've seen this problem come and go, and only by carefully following these instructions have I been able to get it to appear.

notes

I don't know if it's a bug or something I've done, but I also saw this line:

10 partman-crypto/text/erase_data_partition doesn't exist

Continuing the install

  • Partition disks

    • Finish partitioning and write changes to disk

  • Partition disks: re. the swap

    • I don't use a swap partition. If I did, I would encrypt it which would require typing in a second password every bootup. A swap partition would also allow for hibernation (suspend-to-disk).
    • (o) No
    • (_) Yes
Proceed with installation to unclean target?

Note: If you get "Proceed with installation to unclean target?" you may want to manually delete your installation to make sure things are nice and clean. No instructions have been provided for this, but you can use a shell, mount it and delete the directories you want.

If I try to proceed anyway, I get errors:

Install the base system
Base system installation error
The debootstrap program exited with an error (return value 1).
Check /var/log/syslog or see virtual console 4 for the details.

Checking console 4, I saw:

debootstrap: tar: can't open './etc/libaudit.conf': File exists
debootstrap: xzcat: short write

.. which means that no, it cannot actually perform an unclean installation.

To manually delete an old installation, I do:

rm -rf .config bin boot dev etc lib media mnt opt proc run sbin srv tmp usr var
rm -f .bash_history initrd.img initrd.img.old vmlinuz vmlinuz.old

Danger - Don't run these commands idly!

  • Write the changes to disks?

    • (_) No
    • (o) Yes
    • Warning - Make damned sure you understand what's being done!

Final steps

Spoiler

Annoyingly, it'll pause it's install in a few places to ask you things. It would be far more convenient if it asked you everything up-front, but that's impossible since this additional activity is prompted only by the initialization of the installation of those packages.

Install the base system

  • Configure the package manager

    • Use a network mirror?
      -- (your choice)
      -- I find it odd to be asked this if I do an install without networking set up.

  • Configuring popularity-contest

    • Participate in the package usage survey?
      -- (your choice)

  • Note: If you have a network connection while it's installing, it appears to automatically download packages.

Software selection
Choose software to install:

(your choices, but I do this):

  • [x] Devuan desktop environment
  • [_] ... Xfce (Default)
  • [_] ... MATE
  • [_] ... KDE
  • [_] web server
  • [_] print server
  • [_] ssh server

  • [x] standard system utilities

    Curiously, when connected to the internet during this installation process, I get additional choices: LXQt, Console productivity.

    Personally I install MATE and then uninstall it and set up my own stuff, but you can easily break your system doing this (I have).

    (If you are prompted to choose a login manager, pick what you like.)

Install the GRUB boot loader on a hard disk:

  • Install the GRUB boot loader to the master boot record?

    • (_) No
    • (o) Yes

  • Device for boot loader installation:

    • /dev/sda

Post-install manual work

(Boot from your USB drive again)

Devuan GNU/Linux installer boot menu

  • Advanced options

    • Graphical rescue mode
      -- (if it seems to do nothing, just wait)

  • Select a language

    • English

  • Select your location

    • United States

  • Configure the keyboard

    • American English

  • Configure the network

    • (your choice)
    • Hostname: (your choice)

Enter rescue mode

  • Passphrase for /dev/sda3

    • (your password)

  • Device to use as root file system

    • /dev/mapper/sda3_crypt
    • FIXME - this stopped working!
      -- While I can unlock it, I can't mount it. I don't know why; it's not in use.

  • Mount separate /boot partition?

    • (_) No
    • (o) Yes

  • Rescue operations

    • Execute a shell in /dev/mapper/sda3_crypt
bash

# You may need -f10 or -f11.  Check which one of these gives you a UUID.  TODO - is there a better way?
# ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10
# ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f11
ls -l /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 >> /etc/crypttab
nano /etc/crypttab

You want to craft a line like this:

sda3_crypt  UUID=(YOUR CODE)  none  luks

For more, see https://www.freedesktop.org/software/systemd/man/crypttab.html

update-initramfs -k all -c -t

(You will get some warnings; don't worry.)

fstab

Check /etc/fstab and make sure one of your lines is something like the following. Pay attention to make sure "sda3_crypt" is named in full:

/dev/mapper/sda3_crypt  /  ext4  noatime,nodiratime,errors=remount-ro  0  1

exit
exit

  • Rescue operations

    • Reboot the system

(remove the USB key as it reboots)

The system should now be working as-expected. You will now be prompted for a password on bootup.

Comment

Leave a Reply

Your email address will not be published. Required fields are marked *