1 #include <infodrom.style>
2 #include <debian.style>
4 <page title="Debian Tips">
6 <h1 align=center>Howto install Debian encryptedly on a USB stick</h1>
8 <p>This is an extension to <a href="debian-usb.html">Howto install
9 Debian on a USB stick</a>. Filesystem options apply to an encrypted
10 system as well. If you are unable to add these options during
11 installation you can always alter <code>/etc/fstab</code> later.</p>
13 <p>The installation of Debian on an encrypted USB stick is very easy.
14 Starting with Debian GNU/Linux 5.0 alias <code>lenny</code> the
15 installation automatically supports encrypted LUKS containers that
16 contain swap space and the root filesystem.</p>
18 <p>Hence, selecting the option "Guided - use entire disk and set up
19 encrypted LVM" as target will create a <code>/boot</code> partition of
20 255MB size and use the remaining space on the stick as encrypted LUKS
21 container for swap and the root filesystem.</p>
23 <p>After booting the new system the initial ramdisk will ask for the
24 password to unlock the encrypted container and continue with the
25 system boot process. After adding the <code>rootdelay</code>
26 parameter to GRUB you will be able to boot into your new system.</p>
28 <p>A problem arises however, when Linux numbers your stick differently
29 than during the installation. In that case the initial ramdisk cannot
30 unlock the proper container and the system cannot be bootet further.</p>
32 <p>You'll need an existing GNU/Linux system to rebuild the inital
33 ramdisk so that the proper container can be unlocked. Mount the
34 <code>/boot</code> partition (probably <code>/dev/sdb1</code>) of your
35 USB stick and extract the initial ramdisk for inspection:</p>
38 sudo mount /dev/sdb1 /mnt
41 zcat /mnt/initrd.img-2.6.26-2-686 | cpio -i
44 <p>The file <code>/conf/conf.d/cryptroot</code> contains the mapping
45 between encrypted containers and filesystems. The file looks like:</p>
48 target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-root
49 target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-swap_1
52 <p>You'll need to adjust the encrypted device names to use UUID as
53 well. The <code>blkid</code> program will help you find out the
54 proper id. After your adjustments the file should look like:</p>
57 target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-root
58 target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-swap_1
61 <p>After these adjustments the initial ramdisk needs to be rebuilt and
62 installed in <code>/boot</code> again:</p>
66 find . | cpio -R 0:0 --reproducible -o -H newc | gzip > ../initrd.img
67 sudo cp ../initrd.img /mnt/initrd.img-2.6.26-2-686
70 <h3>Custom disk layout</h3>
72 <p>USB sticks tend to be too small for what they are needed.
73 Therefore it is a good idea to save as much space as possible. You
74 don't need 256 MB for <code>/boot</code> for example. 64 MB space is
75 sufficient for two kernels and initrd. Since USB sticks also tend to
76 be slow for write accesses their usefullness as swap device is highly
77 questionable. To have some more space for your GNU/Linux system, you
78 may want to skip the swap partition as well.</p>
80 <p>Select "Manual" in the partitioner and clean remov all partitions
81 from the USB stick. Next create your boot partition of the size you
82 prefer and select <code>ext2</code> as filesystem. Don't forget the
83 <code>noatime</code> and <code>relatime</code> options.</p>
85 <p>The next step is to create the encrypted container for your root
86 filesystem. Create another partition on your stick but don't assign a
87 filesystem to it. Select "Physical volume for encryption" instead.
88 Then switch back to the partition menu.</p>
90 <p>Now select "Configure encrypted volumnes" and prepare the new
91 partition. You should be prepared to enter a long passphrase to
92 protect the encrypted container. Wiping the disk before will take a
93 while. Use it to generate a good passphrase. After the container has
94 been created an <code>ext3</code> filesystem is built upon it. You
95 can switch to <code>ext2</code> and select filesystem options later.
96 The filesystem will be rebuilt afterwards.</p>
98 <p>The rest of the installation is as usual. Select the meta packages
99 you'd like to install and install GRUB in the master boot record.
100 Booting the system after reboot might not work, so you'll need an
101 existing GNU/Linux system to alter the initial ramdisk.</p>
103 <p>Find out the UUID of the partition hosting the encrypted container
104 and adjust the config file <code>/conf/conf.d/cryptroot</code> to use
105 the UUID instead of the canonical device name. The file should look
109 target=sda2_crypt,source=UUID=118aad92-4ba2-4834-befa-1c3ff7a75689,key=none
112 <p>After rebuilding the ramdisk as described above edit the
113 <code>menu.lst</code> file to append <code>rootdelay=8</code>
114 option. A boot record should look like:</p>
117 title Debian GNU/Linux, kernel 2.6.26-2-686
119 kernel /vmlinuz-2.6.26-2-686 root=/dev/mapper/sda2_crypt ro quiet rootdelay=8
120 initrd /initrd.img-2.6.26-2-686
123 <p>After that you should be able to boot your newly created system. The
124 boot system will ask for the passphrase automatically upon boot and is
125 unable to continue unless you have entered the correct passphrase.</p>
127 <p>I've installed a regular Debian desktop on a USB stick with laptop
128 features. After executing <code>apt-get clean</code> there was about
129 1.2 GB free space on a 4 GB stick. That should be enough for a mobile
130 system with some data. The larger the stick the more data can be
131 stored on it, of course.</p>
136 # mode: indented-text