A quick guide for those of you struggling to install Debian Stretch, Kali 2.0 or other Linux systems that use the Debian installer, into a previously configured LVM volume group – i.e. into a LUKS encrypted partition.
Example: You have your disk already encrypted with other Linux system(s) present and now you want to install Debian / Kali 2.0 into this encrypted disk. You’d prefer one encrypted partition for your systems, rather than shrinking the size of one to create another.
I recently came across this problems and after searching online found limited information on how this was possible. Debian doesn’t have a Live version to unlock/decrypt a previously configured LVM volume group, Kali does have a Live version, but from 2.0 it is no longer possible to access the installer from the Live version, for whatever reason. So this needs to be done from the Debian installer using BusyBox.
Note: The installer does have the option to set up LVM, but unfortunately does not have a built-into-installer solution for decrypting and mounting a volume group. This has been tested on Debian Jessie 8, Stretch 9 and Kali 2.0.
Fortunately the solution is relatively simple, as I’m sure many people have already discovered although not documented:
- Boot up to installer using a complete installation image (iso). This method isn’t available with the with Debian’s net installer.
- Select expert install option from the Advance options menu, in order to have full control over the Debian installer and access to BusyBox’s Ash shell.
- You can then continue through the installation process as normal; language, country, keyboard layout, detecting hardware, up until loading CD components. Here, to be safe, select all components.
- Next, skip to detect disk, which is required for the next step. Otherwise Ash will not be able to decrypt and mount the LUKS volume to a relevant path.
- Now with all CD components loaded and disk detected, select ‘Execute a shell’ at the bottom of the menu options to enter BusyBox and type:
$ cryptsetup luksOpen /dev/sda5 sda5_crypt
Replace sda5 with your LUKS encrypted partition, then enter password when prompted to do so to unlock your LUKS partition. The label, in this example sda5_crypt, can be as you like and will only be relevant to your operating system currently being installed.
$ vgchange -ay
This activates the logical volumes within the volume group.
- Now head to Partition disk menu option, choosing the Manual option. Here you should now see your logical volumes listed at the top. If this didn’t work then head back to Detect disks for a refresh.
- If you previously set up a root and swap volume for your new system, then simply select these as mount points for root and swap, as LVM configuration is complete. Otherwise use your free space to create them by selecting ‘Configure the Logical Volume Manager’, then selecting the previously configured volume group, create new logical volumes, as you would for standard manual encryption configuration.
- Then return to where you got to before unlocking your disk: Detecting network hardware, continuing through to configuring the network, setting up users and passwords and configuring the clock. Continue to install your system as per usual.
- Next you’ll need to create the crypttab file and update initramfs so that cryptsetup knows which disk you are trying to decrypt and how. This can be done from another Linux based system you have installed on the same disk or from any Live Linux system. The following is taken from the Installation with custom encryption setup tutorial, with the example changed to Debian, encrypted disk as sda5, and boot as sda2.Using Terminal, mount the root logical volume:
$ sudo mount /dev/mapper/debian-root /mnt
Mounting boot partition dedicated to Debian:
$ sudo mount /dev/sda2 /mnt/boot
Mounting special devices:
$ sudo mount –bind /dev /mnt/dev
$ sudo chroot /mnt mount -t proc proc /proc
$ sudo chroot /mnt mount -t sysfs sysfs /sys
$ sudo chroot /mnt mount -t devpts devpts /dev/pts
Creating crypttab file:
$ gksu xed /mnt/etc/crypttab
With the following content:
# <target name> <source device> <key file> <options>
sda5_crypt /dev/sda5 none luks
Finally, update initramfs to update these changes:
$ sudo chroot /mnt update-initramfs -u
- Now you can successfully login to your new Debian based system and run:
$ sudo update-grub
This will then probe and include other operating systems found on the decrypted disk, so your new Debian-based grub offers multi-booting, and your done.