--- /dev/null
+#include <infodrom.style>
+#include <debian.style>
+
+<page title="Debian Tips">
+
+<h1 align=center>Howto install Debian encryptedly on a USB stick</h1>
+
+<p>This is an extension to <a href="debian-usb.html">Howto install
+Debian on a USB stick</a>. Filesystem options apply to an encrypted
+system as well. If you are unable to add these options during
+installation you can always alter <code>/etc/fstab</code> later.</p>
+
+<p>The installation of Debian on an encrypted USB stick is very easy.
+Starting with Debian GNU/Linux 5.0 alias <code>lenny</code> the
+installation automatically supports encrypted LUKS containers that
+contain swap space and the root filesystem.</p>
+
+<p>Hence, selecting the option "Guided - use entire disk and set up
+encrypted LVM" as target will create a <code>/boot</code> partition of
+255MB size and use the remaining space on the stick as encrypted LUKS
+container for swap and the root filesystem.</p>
+
+<p>After booting the new system the initial ramdisk will ask for the
+password to unlock the encrypted container and continue with the
+system boot process. After adding the <code>rootdelay</code>
+parameter to GRUB you will be able to boot into your new system.</p>
+
+<p>A problem arises however, when Linux numbers your stick differently
+than during the installation. In that case the initial ramdisk cannot
+unlock the proper container and the system cannot be bootet further.</p>
+
+<p>You'll need an existing GNU/Linux system to rebuild the inital
+ramdisk so that the proper container can be unlocked. Mount the
+<code>/boot</code> partition (probably <code>/dev/sdb1</code>) of your
+USB stick and extract the initial ramdisk for inspection:</p>
+
+<p><pre>
+ sudo mount /dev/sdb1 /mnt
+ mkdir /tmp/initrd
+ cd /tmp/initrd
+ zcat /mnt/initrd.img-2.6.26-2-686 | cpio -i
+</pre></p>
+
+<p>The file <code>/conf/conf.d/cryptroot</code> contains the mapping
+between encrypted containers and filesystems. The file looks like:</p>
+
+<p><pre>
+ target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-root
+ target=sda2_crypt,source=/dev/sda2,key=none,lvm=triste-swap_1
+</pre></p>
+
+<p>You'll need to adjust the encrypted device names to use UUID as
+well. The <code>blkid</code> program will help you find out the
+proper id. After your adjustments the file should look like:</p>
+
+<p><pre>
+ target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-root
+ target=sda2_crypt,source=UUID=644399cc-e967-41e0-8d85-87d790cc13f8,key=none,lvm=triste-swap_1
+</pre></p>
+
+<p>After these adjustments the initial ramdisk needs to be rebuilt and
+installed in <code>/boot</code> again:</p>
+
+<p><pre>
+ cd /tmp/initrd
+ find . | cpio --dereference -o -H newc | gzip > ../initrd.img
+ sudo cp ../initrd.img /mnt/initrd.img-2.6.26-2-686
+</pre></p>
+
+</page>
+
+# Local variables:
+# mode: indented-text
+# end: