Install Debian Wheezy (or later) with encrypted root partition on RAID 1 on remote server

First written 2014-09-04; Last updated 2019-12-11

back

The data is encrypted and the system can be booted from remote by using the serial console to enter the LUKS passphrase. Alternatively dropbear (small SSH server) could be used to decrypt the disk through SSH if no serial console is available.

Of course as a possible attacker has control over the hardware and the boot manager and initrd are not encrypted, these methods can be circumvented.

The instructions can be easily adapted for different RAID/LVM setups.

Preparation

Start rescue system with the required tools:

  • cryptsetup

  • mdadm

  • LVM (pvcreate, vgcreate, lvcreate, etc.)

  • debootstrap

If the RAID or LVM is active (e.g. automatically assembled by the rescue system), disable them:

# vgchange -an
# mdmad --stop /dev/mdX

Use dd if=/dev/urandom of=/dev/.. if you want to wipe the existing data on the disks.

Partition disks

Add a single partition as “Linux raid autodetect” (fd) on both disks (the actual partition type does not matter but it can help when looking at the raw partition in the future).

# fdisk /dev/sda
[...]
# fdisk /dev/sdb
[...]

Create RAID

To get the size of the disks, run the command with a very large size, the error message tells it ;-)

# mdadm --create /dev/md/0 --level 1 --raid-devices=2 --size=<size> /dev/sda1 /dev/sdb1

Metadata 1.2 is fine, GRUB 2 can boot from it.

Partition RAID

# fdisk /dev/md/0

In the following example I’ll use two partitions, feel free to adapt to your needs.

  • Boot partition with at least 200M

  • LUKS partition for the rest, type “Non-FS data” (da)

Setup LUKS

Use AES-XTS to prevent a possible CBC malleability attack and a longer iteration time to make brute force attacks more difficult. AES-XTS is default since Jessie.

# cryptsetup luksFormat --iter-time 2000 --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/md/0p2
# cryptsetup luksOpen /dev/md/0p2 md0p2_example

Setup LVM

# pvcreate /dev/mapper/md0p2_example
# vgcreate example /dev/mapper/md0p2_example

Create volumes, adapt to your needs.

# lvcreate --size 10G --name root example
# lvcreate --size 4G  --name swap example
# lvcreate --size 4G  --name var  example

Lets keep the rest unused for now. Ext4 can always be resized online later if necessary:

# lvresize -L 10G /dev/example/root
# resize2fs /dev/example/root

Create filesystems

Boot partition:

# mkfs.ext4 /dev/md/0p1

The other file systems:

# mkfs.ext4 /dev/example/root
# mkfs.ext4 /dev/example/var

And swap:

# mkswap -f /dev/example/swap

Install base

Mount all file systems.

# mount /dev/example/root /mnt
# cd /mnt
# mkdir boot var
# mount /dev/md/0p1 /mnt/boot
# mount /dev/example/var /mnt/var

Install the base system with debootstrap.

# debootstrap wheezy /mnt http://ftp.de.debian.org/debian

Mount the necessary virtual file systems.

# mount --bind /dev /mnt/dev
# mount -t devpts devpts /mnt/dev/pts
# mount -t proc proc /mnt/proc
# mount -t sysfs sysfs /mnt/sys

Copy mtab and adapt it for the chroot, important for mount and df inside the chroot which are used by many installers.

# cp /etc/mtab /mnt/etc
# $EDITOR /mnt/etc/mtab

Work in chroot

# chroot /mnt /bin/bash

Create fstab:

# cat >/etc/ftab
proc                      /proc   proc    defaults,hidepid=2  0 0
/dev/md0p1                /boot   ext4    defaults            0 2
/dev/example/root         /       ext4    errors=remount-ro   0 1
/dev/example/var          /var    ext4    defaults            0 2
/dev/example/swap         none    swap    sw                  0 0

Create crypttab:

# blkid /dev/md/0p2
[...]
# cat >/etc/crypttab
md0p2_example UUID=[...] none luks

Set root password:

# passwd

Update hostname:

# $EDITOR /etc/hostname

Configure the network:

# $EDITOR /etc/hosts
# $EDITOR /etc/network/interfaces
# $EDITOR /etc/resolv.conf

Enable login from serial console. Add the following line to /etc/inittab:

T0:23:respawn:/sbin/getty -L ttyS0 57600 vt100

Install a kernel:

# apt-get --no-install-recommends install linux-image-amd64

Install important packages:

# apt-get --no-install-recommends install mdadm lvm2 cryptsetup kdb

Install GRUB 2:

# apt-get --no-install-recommends install grub-pc

Install GRUB on /dev/sda and /dev/sdb so the system can boot from either in case a disk fails:

# grub-install /dev/sda
# grub-install /dev/sdb

Configure GRUB in /etc/default/grub to allow booting over the serial console:

GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=57600"

Also enable it for the kernel (important):

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,57600"

Don’t forget to run update-grub.

Reboot

Check if the RAID sync is complete:

# cat /proc/mdstat

Done, let’s hope it boots.

# reboot

Rescue system

Detect LVM groups in resuce system (if they aren’t detected automatically):

# vgscan
# lvscan
# vgchange -ay

back

Last updated 2019-12-11

Impressum Datenschutzerklärung