Skip to main content

Installing Debian to an existing dm-crypt container

For my new work notebook I am aiming for a setup with Debian and Gentoo side by side. I installed Gentoo first and went for adding Debian today. For a notebook I want full disk encyrption of course and my plans were to use one big dm-crypt container for everything except /boot. Interestingly, the installer of Debian testing/wheezy does not support installing into an existing crypt container out of the box, not even when run in expert mode. There is an outstanding grave functionality bug titled "allow to 'reuse' encrypted volumes" about it where Frans Pop states:

It is actually possible to reuse existing encrypted LVM volumes by following the procedure documented on [1] just before starting the partitioner. [1]

The hint about "before starting the partitioner" is the most helpful bit about it. The guide he points to is not specific to the Debian installer, misses to mention vgscan and is an immutable page so i cannot improve it easily. To summarize, this is what worked for me (no warrenties!):

  1. When it comes to disk partitioning before picking "manual" switch to another terminal, e.g. <Ctrl>+<Alt>+<F2>, <Return>.
  2. Open the Luks container using cryptsetup luksOpen /dev/ foo foo_crypt
  3. Run vgscan to detect the LVM volume group inside (lvdisplay alone will not do)
  4. Run vgchange -a y foo_crypt to activate all logical volumes
  5. Switch back to the installer terminal by pressing ++ (which will list LVM your current LVM volumes now)
  6. Follow the installtion as usual but stop before rebooting
  7. On the second shell edit /etc/crypttab to have a line /dev/foo foo_crypt none hash=sha1 so the crypt container is actually opened by the initramfs. Rather than "sha1" you may want to pick whatever cryptsetup luksDump /dev/foo | fgrep -i hash produced.

That's it. Got any corrections or extensions to this post? Please comment below.