(howto) Install debian with loop-aes encryption in the root partition and the kernel and key in an external pendrive

Last updated 2012-01-02

Booting from a pendrive

Boot from a pendrive with an autonomous debian on it. This can be done following some instructions i left earlier over here

This is a simplification over the tutorial at Debianhelp Howto: Booting Loop-AES Encrypted Root from USB Stick. There, an unencrypted partition is needed (here we use the usb-live debian) and it uses LVM

Setup loop-aes in the pendrive's debian

 apt-get install loop-aes-utils loop-aes-testsuite module-assistant
 module-assistant prepare
 m-a a-i loop-aes

In the loop-aes.README file there are instructions on how to build a statically linked gpg. With the initrd building mechanism of Debian this is not needed, all de dependencies of the gpg binary will be installed in the initrd.

 apt-get install devscripts gpm
 apt-get build-dep gnupg
 apt-get clean
 gpg --gen-key
 mkdir -p builds/gnupg
 cd builds/gnupg
 apt-get source gnupg

Erase any previous data

The official loop-AES.README file at this point explains how to copy the non encrypted partition into the encrypted partition on the fly using aespipe. As we are going to reinstall everything, we do not need that. But first we wipe the entire hard drive with random looking data.

 dd if=/dev/urandom of=/dev/sda bs=8225280 count=30401

The number after the blocksize (bs=) parameter and the count of sectors can be retrieved with an fdisk call:

 # fdisk -l /dev/sda | head -4

 Disk /dev/sda: 250.1 GB, 250059350016 bytes
 255 heads, 63 sectors/track, 30401 cylinders
 Units = cylinders of 16065 * 512 = 8225280 bytes

Launch fdisk and create the root partition now, unless you want to use the entire drive as root partition, without partition tables whatsoever

Create the keyfile

Create the keyfile exactly as stated on the loop-aes.README, section 7.2:

 head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
 | gpg --symmetric -a > /boot/keyfile.gpg

It takes quite a lot of mouse/keyboard movement to fill the kernel entropy pool for /dev/random to give the amount of random bytes necessary for this, so wiggle the mouse around and type in another tty if possible

It is convenient to store a copy of this file in another pendrive or anywhere else, just in case the original pendrive breaks.

Losetup, format and mount the root partition

This is the same procedure to do when fsck'ing and such:

 losetup -e AES256 -K /boot/keyfile.gpg /dev/loop1 /dev/

(you are asked for the key)

 mkfs.ext2 /dev/loop1 # or whatever fs you like
 mount /dev/loop1 /mnt

Debootstrap and configure

Now we debootstrap debian into the /mnt/ directory

 debootstrap --arch i386 squeeze /mnt http://ftp.fi.debian.org/debian

Chroot into the directory and change some imprescindible things

 mount -o bind /dev/ /mnt/dev
 mount -o bind /proc/ /mnt/proc
 mount -o bind /sys/ /mnt/sys
 chroot /mnt
 apt-get install loop-aes-utils
 passwd root
 # without loop-aes-utils the rootfilesystem will not be remounted
 # without a root password you're not going to be able to reboot :)
 # install here any driver/etc you need to have networking later
 # on if needed
 umount /mnt/dev /mnt/proc /mnt/sys
 umount /mnt

Create initramfs

I could have used the build-initrd.sh that comes with loop-AES, but that requires recompiling the kernel. I prefer to use the debian means for creating the initramfs that, surprisingly, have support for loop-aes

Add a line to /etc/fstab _of the pendrive_ (not on the actual / root partition), stating the loop-aes stance for the root device:

 /dev/sda2     /       ext2    loop=/dev/loop1,encryption=AES256,\
 gpgkey=/boot/key file.gpg    0       1

Backup your old initrd

 cp /boot/initramfs.img* /boot/initramfs.img.pendrive

This will allow you to boot again the pendrive with it's own debian. Otherwise, the new pendrive will try to loopaes-decrypt the root partition and the pendrive's debian will never load properly

Update-initramfs as follows:

 update-initramfs -t -u -k `uname -r`


As the pendrive had a working grub on it, you only need to specify the new parameters in the grub commandline

 root (hd0,1)
 linux /boot/vmlinuz-*wicheverversionyouhave* root=/dev/*encryptedrootdevice*
 initrd /boot/initrd.img-*wicheverversionyouhave*

Simple, huh? I leave as an exercise for the reader how to reconfigure the grub menu so you have two pretty entries for the 'autonomous usb key' and for the new filesystem.