My personal systems run on:
- An open /boot partition
- separately random key encrypted /tmp and swap partitions and
- a password encrypted btrfs lvm volume holding everything else.
My latest project is to use preseeding of the debian installer and try to recreate that automatically. Below is what I've come up with. This fails with the error that the automated partitioning recipe contains the definition of a volume group that does not contain any physical volume.
There is woefully little documentation about for the encryptio n case in particular – can someone figure out how to fix this setup?
Thank you for your time, Joh
d-i partman-auto/disk string /dev/sda
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto-lvm/new_vg_name multiselect vg_crypto_swap, vg_crypto_tmp, \
vg_crypto_root
d-i partman-auto/expert_recipe string \
joh-complex :: \
100 150 200 ext3 \
$primary{ } \
$bootable{ } \
label{ boot_nocrypto } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /boot } \
options/discard{ discard } \
options/relatime{ relatime } \
device{ /dev/sda1 } \
. \
1000 5000 5000 lvm \
$primary{ } \
$defaultignore{ } \
method{ lvm } \
device{ /dev/sda2 } \
vg_name{ vg_crypto_tmp } \
. \
1000 5000 5000 ext3 \
$lvmok{ } \
method{ format } \
format{ } \
in_vg{ vg_crypto_tmp } \
lv_name{ tmp_crypto } \
use_filesystem{ } \
filesystem{ ext2 } \
mountpoint{ /tmp } \
options/relatime{ relatime } \
options/noexec{ noexec } \
. \
100% 300% 300% lvm \
$primary{ } \
$defaultignore{ } \
method{ lvm } \
device{ /dev/sda3 } \
vg_name{ vg_crypto_swap } \
. \
100% 300% 300% linux-swap \
$lvmok{ } \
method{ swap } \
format{ } \
in_vg{ vg_crypto_swap } \
lv_name{ swap_crypto } \
. \
1000 10000 1000000000 lvm \
$primary{ } \
$defaultignore{ } \
method{ lvm } \
device{ /dev/sda4 } \
vg_name{ vg_crypto_root } \
. \
1000 10000 1000000000 ext3 \
$lvmok{ } \
method{ format } \
format{ } \
in_vg{ vg_crypto_root } \
lv_name{ root_crypto } \
use_filesystem{ } \
filesystem{ btrfs } \
mountpoint{ / } \
options/discard{ discard } \
options/relatime{ relatime } \
options/ssd{ ssd } \
. \
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
Best Answer
I used the following recipe with great success to automate creation of encrypted partitions on many user systems. This recipe assumes /dev/sda as the volume to use and uses xfs as the default filesystem (my preferred filesystem).
In addition it uses a simplified partitioning scheme of a small /boot, ~50 GB of /, ~200% of RAM as swap (probably limit it to 64 GB, if system ram > 32 GB) and the rest of the available disk space is /home. If you want to create a more robust system use separate partitions for /var, /usr, /tmp etc. For the logic behind using multiple partitions see: https://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.2
One thing to note is that as far as I know you need to use lvm to get encryption to work, or at least I didn't get it to work otherwise.
Credit where credit is due, I got the idea in turn from: http://ptomusk.blogspot.com/2012/09/ubuntu-preseedcfg-with-encrypted-lvm.html