Linux crypto-root on loop-AES (partly) using debian-installer
First of all, crypto needs to be done using newt (“install”, not installgui). This is a known limitation of debian-installer and documented somewhere on the d-i website.
Secondly, when installing from something involving an iso image, d-i will load the wrong loop module. If that is your case, please make sure to read loop-aes “not supported by kernel”?.
Unfortunately, the debian-installer doesn’t want to let you encrypt your root with loop-aes even if you have an unencryped /boot
Once you have arrived at the partman-crypto screen and set up your crypto devices, the next thing you need to do is patch debian-installer to not bitch about having /
on loop-aes.
This can be done by modifying a file in /lib/partman/check.d/
and removing the check (thanks to fjp@#debian-boot for the pointer.)
If, after generating enough randomness, d-i fails with “An error has occured while configuring encrypted volumes”, check the article “loop-aes ‘not supported by kernel’”.
Otherwise, the install should now go through fine.
Finally you’ll want to chroot
into your new system, and come up with some loop-aes initramfs hooks so that your system will be bootable.
You can use those in the loop-aes-utils debian package source as a starting point:
apt-get source loop-aes-utils
tar xzvf *.tar.gz
cd util*
gunzip < ../*.diff.gz | patch -p1
grep -R debian initramfs
and execute the commented lines.
However, they are broken, so fix the bugs in these scripts!
You will also want to add a feature to these scripts so that it reads your key from a removable media.
Remember: the “key” in your encryption is your keyfile. The passphrase is just an additional blocker, but if your keyfile gets in the wrong hands, your security is more than halved! This means that you absolutely don’t want to keep the keyfile in the initrd (where it would be stored in plaintext).
Lastly you will probably want to regenerate your initrd so that the system becomes bootable:
mount proc proc -t proc
update-initramfs -k $(ls lib/modules) -u
umount proc
Confirm reboot in the debian-installer
Enjoy