Computer security: Devuan + dm-crypt >
Devuan's installer has an encryption feature, but it formats your whole hard drive and uses LVM, neither of which I want.
- Given a hard drive which has regular partitioning and not LVM.
Where a
/(root) partition is encrypted (dm-crypt) and in use.- Such as with an earlier release of Devuan
Install Devuan, re-using the encrypted partition without re-encrypting/formatting from scratch.
Note - I will be writing separate instructions on how to manually make and manage encrypted partitions.
These instructions were tested, and re-tested multiple times on devuan_ascii_2.0.0-rc_i386_dvd-1 on bare metal. They ought to work with other configurations.
Preparation ∞
As with anything, make backups first.
- Turn off your computer
- Remove any non-essential drives
- Insert your USB stick
- Turn on your computer
Devuan GNU/Linux installer boot menu:
- Graphical install
-- (it seems to do nothing, but just wait)
- Graphical install
Phase one - Installer basics ∞
Select a language
- English
Select your location
- United States
Configure the keyboard
- American English
Configure the network
- (do nothing yet)
- Press
Control-Alt-F2to get to a console, and pressenterto log into it.
Phase two - Open encrypted partition ∞
partition=sda3 dev=/dev/$partition name=${partition}_crypt anna-install cryptsetup-udeb partman-crypto-dm depmod -a cryptsetup -v luksOpen $dev $name # If you want, you can mount and interact with the partition. # However, to do that you need to proceed a little further in the install before coming back to this shell. #mkdir /$name #mount /dev/mapper/$name /$name
Press Alt-F5.
Installer basics, continued ∞
Configure the network
- (your choices)
Set up users and passwords
- Root password: (your choice)
- Re-enter password to verify: (your choice)
- (repeat for a user, if you like)
Configure the clock
- Select your time zone: (your choice)
Partition disks
- Manual
From here you're selecting your boot and encrypted partitions...
Partition disks ∞
unencrypted boot partition ∞
Select the partition you want to use as /boot, then continue.
Name
- boot
Use as
- Ext2 file system
Format the partition
- yes, format it
Mount point
/boot
Mount options
- [x] noatime
- [x] nodiratime
- TODO - should I noexec or other options?
Label
- boot
(Done setting up the partition)
encrypted root partition ∞
Select the one that has Encrypted volume. It will look something like this:
Encrypted volume (sda3_crypt) - 4.0 TB Linux device-mapper (crypt) > #1 4.0 TB ext4
Select it, then continue.
Use as
- Ext4 file system
Format the partition
- no, keep existing data
Mount point
/
Mount options
- [x] noatime
- [x] nodiratime
- TODO - I believe the "discard" option is for an SSD.
(Done setting up the partition)
Warning - If you don't see "format the partition", then something is odd and you must not continue. I've seen this problem come and go, and only by carefully following these instructions have I been able to get it to appear.
Continuing the install ∞
Partition disks
- Finish partitioning and write changes to disk
Partition disks: re. the swap
- I don't use a swap partition. If I did, I would encrypt it which would require typing in a second password every bootup. A swap partition would also allow for hibernation (suspend-to-disk).
- (o) No
- (_) Yes
Write the changes to disks?
- (_) No
- (o) Yes
- Warning - Make damned sure you understand what's being done!
Final steps ∞
Install the base system
Configure the package manager
- Use a network mirror?
-- (your choice)
-- I find it odd to be asked this if I do an install without networking set up.
- Use a network mirror?
Configuring popularity-contest
- Participate in the package usage survey?
-- (your choice)
- Participate in the package usage survey?
Note: If you have a network connection while it's installing, it appears to automatically download packages.
Software selection
Choose software to install:
(your choices, but I do this):
- [x] Devuan desktop environment
- [_] ... Xfce (Default)
- [_] ... MATE
- [_] ... KDE
- [_] web server
- [_] print server
- [_] ssh server
[x] standard system utilities
Curiously, when connected to the internet during this installation process, I get additional choices: LXQt, Console productivity.
Personally I install MATE and then uninstall it and set up my own stuff, but you can easily break your system doing this (I have).
(If you are prompted to choose a login manager, pick what you like.)
Install the GRUB boot loader on a hard disk:
Install the GRUB boot loader to the master boot record?
- (_) No
- (o) Yes
Device for boot loader installation:
- /dev/sda
Post-install manual work ∞
(Boot from your USB drive again)
Devuan GNU/Linux installer boot menu
Advanced options
- Graphical rescue mode
-- (it seems to do nothing, but just wait)
- Graphical rescue mode
Select a language
- English
Select your location
- United States
Configure the keyboard
- American English
Configure the network
- (your choice)
- Hostname: (your choice)
Enter rescue mode
Passphrase for /dev/sda3
- (your password)
Device to use as root file system
- /dev/mapper/sda3_crypt
Mount separate /boot partition?
- (_) No
- (o) Yes
Rescue operations
- Execute a shell in /dev/mapper/sda3_crypt
bash # You may need -f10 or -f11. Check which one of these gives you a UUID. TODO - is there a better way? # ls -al /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 # ls -al /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f11 ls -al /dev/disk/by-uuid | grep /sda3 | cut -d' ' -f10 >> /etc/crypttab nano /etc/crypttab
You want to craft a line like this:
sda3_crypt UUID=(YOUR CODE) none luks
For more, see https://www.freedesktop.org/software/systemd/man/crypttab.html
update-initramfs -k all -c -t
(You will get some warnings; don't worry.)
exit exit
Rescue operations
- Reboot the system
(remove the USB key as it reboots)
The system should now be working as-expected. You will now be prompted for a password on bootup.
