Installing Debian to an existing dm-crypt container 2012-05-30

For my new work notebook I am aiming for a setup with Debian and Gentoo side by side. I installed Gentoo first and went for adding Debian today.  For a notebook I want full disk encyrption of course and my plans were to use one big dm-crypt container for everything except /boot.

Interestingly, the installer of Debian testing/wheezy does not support installing into an existing crypt container out of the box, not even when run in expert mode.

There is an outstanding grave functionality bug titled “allow to ‘reuse’ encrypted volumes” about it where Frans Pop states:

It is actually possible to reuse existing encrypted LVM volumes by following
the procedure documented on [1] just before starting the partitioner.

[1] http://wiki.debian.org/DebianInstaller/Rescue/Crypto

The hint about “before starting the partitioner” is the most helpful bit about it. The guide he points to is not specific to the Debian installer, misses to mention vgscan and is an immutable page so i cannot improve it easily.

To summarize, this is what worked for me (no warrenties!):

  1. When it comes to disk partitioning before picking “manual” switch to another terminal, e.g. <Ctrl>+<Alt>+<F2>, <Return>.
  2. Open the Luks container using cryptsetup luksOpen /dev/foo foo_crypt
  3. Run vgscan to detect the LVM volume group inside (lvdisplay alone will not do)
  4. Run vgchange -a y foo_crypt to activate all logical volumes
  5. Switch back to the installer terminal by pressing <Ctrl>+<Alt>+<F1> (which will list LVM your current LVM volumes now)
  6. Follow the installtion as usual but stop before rebooting
  7. On the second shell edit /etc/crypttab to have a line “/dev/foo foo_crypt none hash=sha1″ so the cryptcontainer is actually opened by the initramfs.  Rather than “sha1” you may want to pick whatever cryptsetup luksDump /dev/foo | fgrep -i hash produced.

That’s it.

Got any corrections or extensions to this post?  Please comment below.

6 Comments
Stuart May 7th, 2013

Register on the wiki and the “immutable” page is then editable by you (this is basic spam prevention, really). Please do so to help keep the wiki up to date.

(I would except I don’t work with encrypted containers so don’t really understand what it is you have done).

Thank you to your contribution to Debian 🙂

Flo September 12th, 2013

Worked fine so far, very glad for this info, very scarce information on the subject.
However it is worth to mention that one has to install cryptsetup and crypt modules and load the necessary modules (aes, dm-crypt) before one can proceed with step 2. Once again the mentioned debian wiki is not quite accurate, since the dm-crypt module for the installer is not installed via anna-install crypto-dm-modules (not crypto-modules).

Flo September 12th, 2013

sorry, the dm-crypt module for the installer is of course in the crypt-dm modules package, hence:

anna-install crypto-dm-modules

🙂

networms January 9th, 2014

Thanks for the explanation it helps a lot.
I just had to adapt some parts.
vgchange take a volume group name that is most probably not foo_crypt where foo will be sdXX for example mint create a mint-vg and I think Ubuntu has a ubuntu-vg
And in the crypttab it is first target then source.
“foo_crypt /dev/foo none luks”

Eddy June 6th, 2014

Hey, Thanks for explanation as well. Helped me out.
I had to adapt some parts as well, and I think it could be useful for other not so experienced users.
I installed Debian Wheezy (Stable 7.5).
First I choose the normal installation (not expert). Therefore you already have switch to another terminal when you choose your language and execute “anna-install cryptsetup” and “anna-install crypto-dm-modules” so that the installation kernel is loading it during further installation.
When it came to the partitioning part I had to load the module dm-crypt with “modprobe dm-crypt” before I could follow your steps.
After “vgchange -a y “LV-Group”” I needed to rescan the Hardware by going back in the Installation, of course. To make your LVs ususable, you need to configure the “LVM” once again (but you don’t need to change anything). Then follow the installation as usual (Before you choose your additional software I switched again to the 2nd terminal and added cryptsetup to the installation with “apt-install cryptsetup”. Instead it wasn’t installed in the final system for some reasons)
Your last step before reboot didn’t work out for me (or I didn’t get it). So I bootet from a LiveSystem (Lubuntu 14.04) to fix the system with following steps in a terminal:
1.Decrypt your Luks container “cryptsetup luksOpen /dev/sdxY sdxY_crypt” (Where xY has to be adapted of course)
2. Create a chroot environment by mounting following things
“sudo mount /dev/mapper/’Your-LV-with-installed-system-on’ /mnt”
“sudo mount /dev/mapper/’Your-LV-with-home-folder-on’ /mnt/home” (If necessary)
“sudo mount /dev/sdaxY /mnt/boot” (your non-encrypted boot partition)
(Get access to important System-and Hardware-information )
“sudo mount -t devtmpfs /dev /mnt/dev”
“sudo mount -t devpts /dev/pts /mnt/dev/pts”
“sudo mount -t sysfs /sys /mnt/sys”
“sudo mount -t proc /proc /mnt/proc”
“sudo cp /proc/mounts /mnt/etc/mtab”
3. Enter the chroot-environment with: “sudo chroot /mnt /bin/bash”
I didn’t had internet connection in the chroot-environment but you don’t need it when cryptsetup was installed during installation
4. Restore a backup of the crypttab from your “old system” or create a new entrance in /etc/crypttab like that:
“sdaxY UUID=”UUID of sdaxY” none luks”
5. Update your initramfs-tools with “update-initramfs -k all -c -t ”
There shouldn’t be any warning like “cryptsetup: WARNING: invalid line in /etc/crypttab”. If so, make sure that you mounted your LUKS-Container with the same name used in crypttab (sdaxY_crypt is the best choice). When you have no warning, you can reboot and it should work.

So, I hope my explanation is not to long, but I thought it can be helpfull, especially for not soo experienced users, because your explanation was a very good already, but I needed to explore other forums to solve every of my problems.

Best wishes

Eddy June 6th, 2014

Hey,

Just a short edit: The right package name for cryptsetup WITH anna-install is “cryptsetup-udeb”. With apt-install “cryptsetup” is right.

Best wishes

Leave a Reply

You must be logged in to post a comment.