Last updated 2012-01-02
Boot from a pendrive with an autonomous debian on it. This can be done following some instructions i left earlier over here
This is a simplification over the tutorial at Debianhelp Howto: Booting Loop-AES Encrypted Root from USB Stick. There, an unencrypted partition is needed (here we use the usb-live debian) and it uses LVM
Setup loop-aes in the pendrive's debian
apt-get install loop-aes-utils loop-aes-testsuite module-assistant module-assistant prepare m-a a-i loop-aes
In the loop-aes.README file there are instructions on how to build a statically linked gpg. With the initrd building mechanism of Debian this is not needed, all de dependencies of the gpg binary will be installed in the initrd.
apt-get install devscripts gpm apt-get build-dep gnupg apt-get clean gpg --gen-key mkdir -p builds/gnupg cd builds/gnupg apt-get source gnupg
The official loop-AES.README file at this point explains how to copy the non encrypted partition into the encrypted partition on the fly using aespipe. As we are going to reinstall everything, we do not need that. But first we wipe the entire hard drive with random looking data.
dd if=/dev/urandom of=/dev/sda bs=8225280 count=30401
The number after the blocksize (bs=) parameter and the count of sectors can be retrieved with an fdisk call:
# fdisk -l /dev/sda | head -4 Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 heads, 63 sectors/track, 30401 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes
Launch fdisk and create the root partition now, unless you want to use the entire drive as root partition, without partition tables whatsoever
Create the keyfile exactly as stated on the loop-aes.README, section 7.2:
head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \ | gpg --symmetric -a > /boot/keyfile.gpg
It takes quite a lot of mouse/keyboard movement to fill the kernel entropy pool for /dev/random to give the amount of random bytes necessary for this, so wiggle the mouse around and type in another tty if possible
It is convenient to store a copy of this file in another pendrive or anywhere else, just in case the original pendrive breaks.
This is the same procedure to do when fsck'ing and such:
losetup -e AES256 -K /boot/keyfile.gpg /dev/loop1 /dev/
(you are asked for the key)
mkfs.ext2 /dev/loop1 # or whatever fs you like mount /dev/loop1 /mnt
Now we debootstrap debian into the /mnt/ directory
debootstrap --arch i386 squeeze /mnt http://ftp.fi.debian.org/debian
Chroot into the directory and change some imprescindible things
mount -o bind /dev/ /mnt/dev mount -o bind /proc/ /mnt/proc mount -o bind /sys/ /mnt/sys chroot /mnt apt-get install loop-aes-utils passwd root # without loop-aes-utils the rootfilesystem will not be remounted # without a root password you're not going to be able to reboot :) # install here any driver/etc you need to have networking later # on if needed exit umount /mnt/dev /mnt/proc /mnt/sys umount /mnt
I could have used the build-initrd.sh that comes with loop-AES, but that requires recompiling the kernel. I prefer to use the debian means for creating the initramfs that, surprisingly, have support for loop-aes
Add a line to /etc/fstab _of the pendrive_ (not on the actual / root partition), stating the loop-aes stance for the root device:
/dev/sda2 / ext2 loop=/dev/loop1,encryption=AES256,\ gpgkey=/boot/key file.gpg 0 1
Backup your old initrd
cp /boot/initramfs.img* /boot/initramfs.img.pendrive
This will allow you to boot again the pendrive with it's own debian. Otherwise, the new pendrive will try to loopaes-decrypt the root partition and the pendrive's debian will never load properly
Update-initramfs as follows:
update-grub update-initramfs -t -u -k `uname -r`
As the pendrive had a working grub on it, you only need to specify the new parameters in the grub commandline
root (hd0,1) linux /boot/vmlinuz-*wicheverversionyouhave* root=/dev/*encryptedrootdevice* initrd /boot/initrd.img-*wicheverversionyouhave* boot
Simple, huh? I leave as an exercise for the reader how to reconfigure the grub menu so you have two pretty entries for the 'autonomous usb key' and for the new filesystem.