On Mon, Dec 17, 2018 at 04:47:32PM +0100, Cyril Brulebois wrote: > Hello, > > autos...@riseup.net <autos...@riseup.net> (2018-12-17): > > I have managed to find a way to trick the Debian installer into > > encrypting the /boot partition, so that only the MBR GRUB portion of > > the hard drive is unencrypted. > > > > This means the password must be input twice at boot, but on the plus > > side, the Linux kernel lives in /boot, so the system is better > > protected. > > > > Are you interested in how I did this? I have a full step-by-step guide > > which I have tried to minimize as much as possible. I was hoping it > > could be engineered into a guided installation option. > > > > Note: it only involved one reboot back into the installer environment. > > > > Also, I did it with GPT, which is also something that D-I should > > support, especially when it comes to encrypted disks (GPT stores a > > couple backups of the partition table). > > This seems like something that we should support at some point, AFAICT > grub's cryptodisk support has been around for quite a while, but I've > never managed to dive into it. > > A step by step guide would certainly be helpful to others, and might be > a basis for d-i contributors to get involved in implementing this. > > Thanks for your proposal. > > > Cheers, > -- > Cyril Brulebois (k...@debian.org) <https://debamax.com/> > D-I release manager -- Release team member -- Freelance Consultant
It was quite an effort in reverse engineering, because I couldn't find alot of documentation on d-i at short notice via search engines, and so I essentially took a brute-force approach. Haven't tried using preseed files to do this, because it seems preseed files aren't as simple to load into d-i as dropping one into the first partition of a USB drive, for example (this is where BIOS updaters often look for a file, as an example). OK, here are the full instructions. Note: this is 'expert install' mode. 1. Configure partman with 1MB /boot as ext4. Configure 2nd partition using 100% of space, and dedicate it as a crypto volume. Note: the above can be done with fdisk on TTY2, and fdisk is better at using up almost 100% of disk space, by default. Finish configuring encrypted volume. 2. Set the configured encrypted volume as the root '/' mount point. It can be either an ext4 or XFS filesystem (have not tested others). Note: this part must be done via partman so that d-i lets you continue. 3. Choose to install base system and switch to TTY4 At the point that d-i attempts to install the kernel and pauses, switch over to TTY2 and unmount /target/boot # umount /target/boot 4. Switch back to TTY1, choose kernel to install, and install initramfs. If all the above steps have been followed, and no error messages _yet_ then now is a good time to setup users, clock, network, etc., if you want to. 5. Choose to install the GRUB boot loader - it will fail but will at least successfully install the GRUB dpkgs. 6. Switch to TTY2 and chroot into /target # chroot /target 7. Install gdisk and run it on your target hard drive: # apt-get install -y gdisk && gdisk /dev/sda Note: the above assumes your target install disk is /dev/sda. Change the partition type of the 1MB partition to ef02. Write the changes to disk. 8. Exit the chroot, switch to TTY1 and select 'finish installation' - you will have to select 'continue without bootloader'. 9. Reboot, but this time instead of 'expert mode' choose 'rescue mode'. Unlock your disk with the LUKS password. Enter a shell within the install environment, either by selecting from the menu, or by switching to TTY2 and chrooting in. 10. Edit your /etc/default/grub within the target install volume to include the line: GRUB_ENABLE_CRYPTODISK=y 11. Also run the following from within new install, perhaps twice for good measure: # grub-mkconfig -o /boot/grub/grub.cfg # grub-install /dev/sda Note: the above assumes your target install disk is /dev/sda. 12. Delete the /boot line from /etc/fstab within the target install volume. 13. Reboot into a working install, with GPT partition table and encrypted /boot! Because the above instructions took many many hours to create and minimise, with so many reboots until I found a working sequence, I'd really really appreciate it if the above could be adapted into a 'guided installation' option, then perhaps in the future LVM could be added, once it is stable enough. Every user of d-i would benefit from the extra security of encrypted /boot, as well as the extra reliability of a GPT partition table. GRUB has dutifully supported both for a while now, including Debian stable's version of GRUB. Note that last time I checked, Red Hat's Fedora was also installing using MBR partitions without encrypted /boot, so Debian could be ahead of the curve here.