====== Full disk encryption (devuan) ======

This is a quick summary of how to set up encryption during the installation of a Debian based system. It is actually not full disk, but full partition. It assumes you want a separate /, /home and swap, all encrypted. It uses LUKS and dm-crypt. For a detailed explanation, see [[https://xo.tc/full-disk-encryption-on-linux.html]].

This is a summary of the excellent article at [https://xo.tc/setting-up-full-disk-encryption-on-debian-jessie.html]. I'm writing this more because he is very, very detailed with lots of pretty pictures, and I wanted a quick and dirty. Thus, if you want to "know" what you're doing, read his article. If you are pretty sure what you're doing and just want a recipe, use this.

  * Figure out a good passphrase; something you'll remember (you'll type it everytime you boot), but is hard to crack (it secures all your data). I use [[https://xkpasswd.net/s/]] to generate memorable but secure passphrases.
     * For very, very secure, use the default generator.
     * For less secure, but easier to remember, use the XKCD preset (when I do this, I set the SEPARATOR char to random).
  * Do a base [[https://devuan.org|Devuan]] install. Should work for any [[https://debian.org|Debian]] derivative.
  * On partitioning scheme, create the following. NOTE
     * Partition 1, Primary, 256M, ext4, /boot
     * Partition 5, Logical, 10G, Physical volume for encryption
     * Partition 6, Logical, disk size minus 4G, Physical volume for encryption
     * Partition 7, Logical, 4G, do not use the partition
  * Configure encrypted volumes
     * Create Encrypted Volumes
     * Select sda5 and 6 (/ and /home), then Continue, then Finish
  * Enter the passphrase for both / and /home. Note that /home's password will be overridden later, so not critical
  * Set sda5_crypt (the 10G one) as ext4, mount point /
  * Set sda6_crypt (the big one) as ext5, mount point /home
  * Done with partitioning, and select "no" when it complains about the lack of swap (we'll create it later)
  * Finish installation as you like and reboot system
  * Log in as root (or become root)
  * Set up swap partition. This uses a random key generated at boot time, so each boot generates a new key. Following are the two commands to do that, adding a new line to /etc/crypttab and /etc/fstab
     * echo 'sda7_crypt /dev/sda7 /dev/urandom swap' >> /etc/crypttab
     * echo '/dev/mapper/sda7_crypt none swap sw 0 0' >> /etc/fstab
  * Set it up so /home's partition actually uses a key (stored on /) with no passphrase. Again, the following are the commands from a prompt
<code bash>
mkdir /etc/keys
dd if=/dev/random of=/etc/keys/sda6.key bs=1 count=32 # create 32 byte key
chmod 400 /etc/keys/sda6.key
# add key file to /dev/sda6. When asked, use the key you created during install
cryptsetup luksAddKey /dev/sda6 /etc/keys/sda6.key # add key to /home
# now, remove the key you used at install for sda6 (you'll be asked which to to remove)
cryptsetup luksRemoveKey /dev/sda6
</code>
  * edit  /etc/crypttab, find sda6_crypt, change 'none' to /etc/keys/sda6.key

At this point, you should be able to reboot. You will be asked one time for the encryption key (the one for sda5, to be mounted on /). sda6 (mounted /home) should be decrypted automatically as soon as / is mounted and key can be found, and swap should also be mounted with a generated key.

Don't forget to Donate. The [[https://xo.tc/full-disk-encryption-on-linux.html|xkpasswd]] site is free, but they have to pay for hosting. [[https://devuan.org|Devuan]] is also free, but they have a **lot** of overhead. Donating to them ensures they are able to continue development of a systemd free Linux.