Document support for address lookup

[infodrom.org/www.infodrom.org] / src / Debian / tips / debian-cryptroot-usb.wml

#include <infodrom.style>
#include <debian.style>

<page title="Debian Tips">

<h1 align=center>Howto install Debian encryptedly on a USB stick</h1>

<p>This is an extension to <a href="debian-usb.html">Howto install
Debian on a USB stick</a>.  Filesystem options apply to an encrypted
system as well.  If you are unable to add these options during
installation you can always alter <code>/etc/fstab</code> later.</p>

<p>The installation of Debian on an encrypted USB stick is very easy.
Starting with Debian GNU/Linux 5.0 alias <code>lenny</code> the
installation automatically supports encrypted LUKS containers that
contain swap space and the root filesystem.</p>

<p>Hence, selecting the option "Guided - use entire disk and set up
encrypted LVM" as target will create a <code>/boot</code> partition of
255MB size and use the remaining space on the stick as encrypted LUKS
container for swap and the root filesystem.</p>

<p>After booting the new system the initial ramdisk will ask for the
password to unlock the encrypted container and continue with the
system boot process.  After adding the <code>rootdelay</code>
parameter to GRUB you will be able to boot into your new system.</p>

<p>A problem arises however, when Linux numbers your stick differently
than during the installation.  In that case the initial ramdisk cannot
unlock the proper container and the system cannot be bootet further.</p>

<p>You'll need an existing GNU/Linux system to rebuild the inital
ramdisk so that the proper container can be unlocked.  Mount the
<code>/boot</code> partition (probably <code>/dev/sdb1</code>) of your
USB stick and extract the initial ramdisk for inspection:</p>

<p><pre>
  sudo mount /dev/sdb1 /mnt
  mkdir /tmp/initrd
  cd /tmp/initrd
  zcat /mnt/initrd.img-2.6.26-2-686 | cpio -i
</pre></p>

<p>The file <code>/conf/conf.d/cryptroot</code> contains the mapping
between encrypted containers and filesystems.  The file looks like:</p>

<p><pre>
  target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-root
  target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-swap_1
</pre></p>

<p>You'll need to adjust the encrypted device names to use UUID as
well.  The <code>blkid</code> program will help you find out the
proper id.  After your adjustments the file should look like:</p>

<p><pre>
  target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-root
  target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-swap_1
</pre></p>

<p>After these adjustments the initial ramdisk needs to be rebuilt and
installed in <code>/boot</code> again:</p>

<p><pre>
  cd /tmp/initrd
  find . | cpio -R 0:0 --reproducible -o -H newc | gzip > ../initrd.img
  sudo cp ../initrd.img /mnt/initrd.img-2.6.26-2-686
</pre></p>

<h3>Custom disk layout</h3>

<p>USB sticks tend to be too small for what they are needed.
Therefore it is a good idea to save as much space as possible.  You
don't need 256 MB for <code>/boot</code> for example.  64 MB space is
sufficient for two kernels and initrd.  Since USB sticks also tend to
be slow for write accesses their usefullness as swap device is highly
questionable.  To have some more space for your GNU/Linux system, you
may want to skip the swap partition as well.</p>

<p>Select "Manual" in the partitioner and clean remov all partitions
from the USB stick.  Next create your boot partition of the size you
prefer and select <code>ext2</code> as filesystem.  Don't forget the
<code>noatime</code> and <code>relatime</code> options.</p>

<p>The next step is to create the encrypted container for your root
filesystem.  Create another partition on your stick but don't assign a
filesystem to it.  Select "Physical volume for encryption" instead.
Then switch back to the partition menu.</p>

<p>Now select "Configure encrypted volumnes" and prepare the new
partition.  You should be prepared to enter a long passphrase to
protect the encrypted container.  Wiping the disk before will take a
while.  Use it to generate a good passphrase.  After the container has
been created an <code>ext3</code> filesystem is built upon it.  You
can switch to <code>ext2</code> and select filesystem options later.
The filesystem will be rebuilt afterwards.</p>

<p>The rest of the installation is as usual.  Select the meta packages
you'd like to install and install GRUB in the master boot record.
Booting the system after reboot might not work, so you'll need an
existing GNU/Linux system to alter the initial ramdisk.</p>

<p>Find out the UUID of the partition hosting the encrypted container
and adjust the config file <code>/conf/conf.d/cryptroot</code> to use
the UUID instead of the canonical device name.  The file should look
like:</p>

<p><pre>
  target=sda2_crypt,source=UUID=118aad92-4ba2-4834-befa-1c3ff7a75689,key=none
</pre></p>

<p>After rebuilding the ramdisk as described above edit the
<code>menu.lst</code> file to append <code>rootdelay=8</code>
option.  A boot record should look like:</p>

<p><pre>
  title           Debian GNU/Linux, kernel 2.6.26-2-686
  root            (hd0,0)
  kernel          /vmlinuz-2.6.26-2-686 root=/dev/mapper/sda2_crypt ro quiet rootdelay=8
  initrd          /initrd.img-2.6.26-2-686
</pre></p>

<p>After that you should be able to boot your newly created system.  The
boot system will ask for the passphrase automatically upon boot and is
unable to continue unless you have entered the correct passphrase.</p>

<p>I've installed a regular Debian desktop on a USB stick with laptop
features.  After executing <code>apt-get clean</code> there was about
1.2 GB free space on a 4 GB stick.  That should be enough for a mobile
system with some data.  The larger the stick the more data can be
stored on it, of course.</p>

</page>

# Local variables:
# mode: indented-text
# end: