Linux

Installing encrypted root on debian stretch

This article is an update to this tutorial that is getting a bit outdated: Setting up my server: re-installing on an encripted LVM.

Debian stretch has new features that change the way to configure the initramfs and networking. It took me a while to figure them out, so this may be useful to somebody else.

The initramfs configuration has changed, especially for the dropbear part. There is now a package that enables dropbear only in the initramfs, dropbear-initramfs, and it almost does not require manual configuration. Only the ssh key has to be put in /etc/dropbear-initramfs/authorized_keys instead of directly in the initramfs files /etc/initramfs-tools/root/.ssh/authorized_keys. One reason for that is that the root homedir is not /root in the initramfs anymore, it's randomly generated when running update-initramfs. I haven't checked why, but it's probably for security reasons.

It is very important to know that since stretch, debian stopped using eth0 as default network interface name. It now uses a name generated with the MAC address, to have unique identifiers for network interfaces, as announced here. If you are installing the server and if you don't have a remote console to check the name, the best is to use dhcp the first time to be able to connect to the machine. Make sure you use that name in the kernel command line otherwise you won't be able to ping your machine or unlock the encrypted filesystem. Take also care of the /etc/network/interfaces for the regular system boot.

In case of problem, you may have access to a serial console. It's easy to configure, just add console=ttyS0 to the kernel command line in /etc/default/grub if you use grub2. You may also want to configure grub itself to interface with the serial console, add GRUB_TERMINAL=serial to the file, with possible parameters in the GRUB_SERIAL_COMMAND variable. If you don't see anything on the console it's probably because it's the other port...

In my case it was the Intel Atom Avoton-based server from online.net, the network interface is called enp0s20 and the serial port of the console is ttyS1.


2 comments

me wrote, on Fri, 17 Feb 2017 16:07:39 +0100

Thank you!!! <3

vincent wrote, on Sun, 17 Jul 2022 14:14:52 +0200

An update for debian 11: nothing changed in the setup of the encrypted root and initramfs apparently.

A few useful commands for the debootstrap keys problem:
wget https://ftp-master.debian.org/keys/archive-key-11.asc
gpg --import --no-default-keyring --keyring ./debian-release-11.gpg archive-key-11.asc
debootstrap --arch amd64 --keyring=./debian-release-11.gpg bullseye /target http://mirrors.online.net/debian

Discuss this article, add a comment:

name: 
website: 
comment: 
If you are human, type 12: