Install Debian Wheezy with encrypted root partition on RAID 1 on remote server


The data is encrypted and the system can be booted from remote by using the serial console to enter the LUKS passphrase. Alternatively dropbear (small SSH server) could be used to decrypt the disk through SSH if no serial console is available.

Of course as a possible attacker has control over the hardware and the boot manager and initrd are not encrypted, these methods can be circumvented.

The instructions can be easily adapted for different RAID/LVM setups.


Start rescue system with the required tools:

If the RAID or LVM is active (e.g. automatically assembled by the rescue system), disable them:

# vgchange -an
# mdmad --stop /dev/mdX

Use dd if=/dev/urandom of=/dev/.. if you want to wipe the existing data on the disks.

Partition disks

Add a single partition as “Linux raid autodetect” (fd) on both disks.

# fdisk /dev/sda
# fdisk /dev/sdb

Create RAID

To get the size of the disks, run the command with a very large size, the error message tells it ;-)

To prevent problems with variable sizes of new disks, subtract ca. 50M from the size. Shouldn’t be necessary, but better safe than sorry.

# mdadm --create /dev/md/0 --level 1 --raid-devices=2 --size=<size> /dev/sda1 /dev/sdb1

Metadata 1.2 is fine, GRUB 2 can boot from it.

Partition RAID

# fdisk /dev/md/0

In the following example I’ll use two partitions, feel free to adapt to your needs.

Setup LUKS

Use AES-XTS to prevent a possible CBC malleability attack and a longer iteration time to make brute force attacks more difficult. AES-XTS is default since Jessie.

# cryptsetup luksFormat --iter-time 2000 --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/md/0p2
# cryptsetup luksOpen /dev/md/0p2 md0p2_example

Setup LVM

# pvcreate /dev/mapper/md0p2_example
# vgcreate example /dev/mapper/md0p2_example

Create volumes, adapt to your needs.

# lvcreate --size 2G --name root example
# lvcreate --size 4G --name swap example
# lvcreate --size 5G --name usr  example
# lvcreate --size 4G --name var  example

Lets keep the rest unused for now. Ext4 can always be resized online later if necessary:

# lvresize -L 10G /dev/mapper/example-usr
# resize2fs /dev/mapper/example-usr

Create filesystems

Boot partition:

# mkfs.ext4 /dev/md/0p1

The other file systems:

# mkfs.ext4 /dev/mapper/example-root
# mkfs.ext4 /dev/mapper/example-usr
# mkfs.ext4 /dev/mapper/example-var

And swap:

# mkswap -f /dev/mapper/example-swap

Install base

Mount all file systems.

# mount /dev/mapper/example-root /mnt
# cd /mnt
# mkdir boot usr var
# mount /dev/md/0p1 /mnt/boot
# mount /dev/mapper/example-usr /mnt/usr
# mount /dev/mapper/example-var /mnt/var

Install the base system with debootstrap.

# debootstrap wheezy /mnt

Mount the necessary virtual file systems.

# mount --bind /dev /mnt/dev
# mount -t devpts devpts /mnt/dev/pts
# mount -t proc proc /mnt/proc
# mount -t sysfs sysfs /mnt/sys

Copy mtab and adapt it for the chroot, important for mount and df inside the chroot which are used by many installers.

# cp /etc/mtab /mnt/etc
# $EDITOR /mnt/etc/mtab

Work in chroot

# chroot /mnt /bin/bash

Create fstab:

# cat >/etc/ftab
proc                      /proc   proc    defaults,hidepid=2  0 0
/dev/md0p1                /boot   ext4    defaults            0 2
/dev/mapper/example-root  /       ext4    errors=remount-ro   0 1
/dev/mapper/example-usr   /usr    ext4    defaults            0 2
/dev/mapper/example-var   /var    ext4    defaults            0 2
/dev/mapper/example-swap  none    swap    sw                  0 0

Create crypttab:

# blkid /dev/md/0p2
# cat >/etc/crypttab
md0p2_example UUID=[...] none luks

Set root password:

# passwd

Update hostname:

# $EDITOR /etc/hostname

Configure the network:

# $EDITOR /etc/hosts
# $EDITOR /etc/network/interfaces
# $EDITOR /etc/resolv.conf

Enable login from serial console. Add the following line to /etc/inittab:

T0:23:respawn:/sbin/getty -L ttyS0 57600 vt100

Install a kernel:

# apt-get --no-install-recommends install linux-image-amd64

Install important packages:

# apt-get --no-install-recommends install mdadm lvm2 cryptsetup kdb

Install GRUB 2:

# apt-get --no-install-recommends install grub-pc

Install GRUB on /dev/sda and /dev/sdb so the system can boot from either in case a disk fails:

# grub-install /dev/sda
# grub-install /dev/sdb

Configure GRUB in /etc/default/grub to allow booting over the serial console:

GRUB_SERIAL_COMMAND="serial --speed=57600"

Also enable it for the kernel (important):

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,57600"

Don’t forget to run update-grub.


Check if the RAID sync is complete:

# cat /proc/mdstat

Done, let’s hope it boots.

# reboot

Rescue system

Detect LVM groups in resuce system (if they aren’t detected automatically):

# vgscan
# lvscan
# vgchange -ay


Last updated 2018-05-20 17:09:22 CEST

Impressum Datenschutzerklärung