How to Do Encrypted Disk Partitioning for Debian 12
Introduction
Before we begin talking about how to do encrypted disk partitioning for Debian 12, let's briefly understand – What is disk partitioning?
Disk partitioning is the process of dividing a hard drive into distinct sections or partitions, each functioning as a separate storage unit. These partitions enhance organization, making it easier to manage data and install multiple operating systems on one device.
Disk partitioning optimizes storage space usage, enhances system performance, and allows for better data protection. By carefully allocating disk space, users can prevent data loss and improve computer efficiency.
In this tutorial, you will understand how to do encrypted disk partitioning for Debian 12. We will also address a few FAQs on how to do encrypted disk partitioning for Debian 12.
Things to Know Before Encrypting the Partitions for Debian 12
As of this writing, if you don't have a separate, unencrypted /boot and EFI partition, Debian 12 won't boot from an encrypted ROOT (/) partition. You need to build an encrypted SWAP partition, an unencrypted EFI boot partition, and an unencrypted /boot partition if you plan to install Debian 12 on a completely encrypted disk.
Encrypt Specific Partitions from the Debian 12 Installer
For the Debian 12 installation, we construct a standard disk partitioning configuration.
Assume that you wish to encrypt the partitions labeled /home (SDA disk partition #3) and swap (SDA disk partition #4).
Choose "Configure encrypted volumes" from the Manual disk partitioning window in order to set up the encrypted volumes from the Debian 12 installation.
After selecting "Yes", click "Continue".
After choosing "Create encrypted volumes", hit <Enter>.
Click "Continue" after selecting the partitions you wish to encrypt (in this case, sda3 and sda4).
One by one, you will need to set up the encryption for every partition you already chose.
At the top should be the disk (sda disk in this case) and partition number (partition #3 in this case) that you are encrypting.
Select "Encryption" and hit <Enter> to choose an encryption technique for the partition.
After choosing the encryption algorithm to be used for this partition, hit <Enter>. AES (Advanced Encryption Standard), Blowfish, Serpent, and Twofish are the encryption methods that are currently supported.
Choose the "Key size" option and hit <Enter> to choose a key size for the encrypted partition.
Press <Enter> after choosing your preferred encryption algorithm's key size from the list.
The encryption will be more secure the larger the key size. The time (or processing power) required to decrypt an encrypted file increases with the size of the key.
Choose the "IV algorithm" and hit <Enter> to choose an Initialization Vector (IV) algorithm for the encryption.
Press <Enter> after choosing your preferred initialization vector generating algorithm from the list.
Choose the desired encryption key type by selecting the "Encryption key" and pressing <Enter>.
Press <Enter> after choosing an encryption key type from the list.
Passphrase: If you want to use a password as the encryption key, choose this option. Every time you turn on your Debian 12 system, you will be prompted to provide it. The encrypted disks will be unlocked using the password.
Random Key: If you would like to utilize an encryption key that is created at random, select this option. When booting Debian 12, you won't be prompted to provide the encryption key. Rather, the encryption key will be produced at random and read from a secured file.
Toggle the "Erase data" switch to "yes" if you wish to remove every piece of data from the partition.
Press <Enter> after selecting "Erase data" to turn it on or off.
When you're finished, hit <Enter> after choosing "Done setting up the partition".
The encryption settings for the other partitions can be set up similarly.
Simply choose the encryption settings that you want for the partition, click "Done setting up the partition", then hit <Enter>.
After selecting "Finish", hit <Enter>.
The data on the partition (sda disk partition #3) that you chose for encryption will be prompted for deletion.
After choosing "Yes", click "Continue".
The data of the partition (sda disk partition #3) is currently being deleted in order to encrypt it. Depending on how big the partition is, it takes some time to finish.
One by one, you will be prompted to delete the contents from each partition you choose to encrypt.
Simply choose "Yes" and click "Continue" in the same manner as before.
The data of the partition (sda disk partition #4) is currently being deleted in order to encrypt it. Depending on how big the partition is, it takes some time to finish.
You will be prompted to provide an encryption passcode for each partition you choose for encryption after the data on all of the partitions has been deleted.
Click "Continue" after entering the encryption passphrase for the partition (in this case, SDA drive partition #3).
Click "Continue" after entering the encryption passphrase for the partition (in this case, sda disk partition #4).
Encrypt the selected partitions.
It is possible that the encrypted partition's filesystem and mount point configuration will be lost. As a result, you must update the mount point and filesystem to reflect the encrypted disks.
Press <Enter> after selecting the encrypted partition to modify the filesystem and mount point.
The filesystem for this partition is chosen appropriately; the mount point is incorrect.
Thus, choose the "Mount point" and hit <Enter>.
Press <Enter> after choosing the encrypted partition's right mount location.
When you're finished, hit <Enter> after choosing "Done setting up the partition".
For the encrypted partition, the proper mount point needs to be specified.
Press <Enter> after choosing the second encrypted partition in the same manner.
The filesystem type for this partition needs to be modified because it was a swap partition.
After choosing "Use as", hit <Enter>.
After choosing "Swap area", hit <Enter>.
After clicking “Done setting up the partition” and press <Enter>.
Configuring an encrypted swap partition is necessary. You can now install Debian 12 on the disk and save the changes.
Partition the Disks to Install Debian 12 on Fully Encrypted Disks
You must first create an EFI boot partition and a /boot partition on the disk in order to install Debian 12 on a completely encrypted drive. After that, you must use LVM to manage the encrypted disk and encrypt the remaining FREE SPACE. Lastly, you can use LVM to create encrypted partitions for the SWAP and ROOT, and then install Debian 12 on them.
To partition a disk manually, choose "Manual" and hit <Enter>.
Every disk that is installed on your computer will be visible to you.
Press <Enter> after selecting a disk to start a new partition table.
Select "Yes" and "Continue".
A new partition table will be made.
In order to generate a fresh partition on the drive, choose "FREE SPACE" and hit <Enter>.
Select “Create a new partition” and press <Enter>.
The EFI boot partition will be this. Enter "512 MB" as the partition size and press "Continue" after that.
After choosing "Beginning", hit <Enter>.
Press <Enter> after choosing "Done setting up the partition" and "EFI System Partition" as the filesystem type (Use as).
Creating an EFI boot partition is necessary.
Press <Enter> after choosing "FREE SPACE" to create a new partition.
Select “Create a new partition” and press <Enter>.
This partition will serve as the /boot. Enter "1 GB" as the partition size and press "Continue" after that.
Select “Beginning” and hit <Enter>.
Press <Enter> after choosing the "Ext4 journaling file system" as the filesystem type (Use as), choosing "Done setting up the partition", and selecting /boot as the filesystem's mount point.
A /boot partition should be created.
Press <Enter> after choosing "Configure encrypted volumes" to encrypt the remaining FREE SPACE.
Select “Yes” and then “Continue”.
Select “Create encrypted volumes” and hit <Enter>.
Select the remaining FREE SPACE and press on "Continue".
Press <Enter> after configuring the disk's encryption parameters and choose "Done setting up the partition".
Select "Yes" and hit "Continue".
Select "Finish" and press <Enter>.
Select "Yes" and then "Continue".
The partition's data is being deleted. Depending on the size of the partition, it takes some time to finish.
Enter an encryption passcode and select "Continue" once the partition's data has been deleted.
An encrypted partition should be created. Choose "Configure the Logical Volume Manager" and hit to set up LVM on the encrypted partition.
Select "Yes" and then "Continue".
Select "Create volume group" and hit <Enter>.
Type the name of the volume group and click on "Continue".
Click "Continue" after choosing the encrypted partition from the list.
Select "Yes" and then "Continue".
Select "Create logical volume" and hit <Enter>.
After choosing the volume group you previously created, hit <Enter>.
Click "Continue" after entering "ROOT" as the LVM logical volume name.
Click "Continue" after entering the size of the ROOT LVM logical volume.
You should establish an encrypted LVM logical volume called ROOT.
Press <Enter> after choosing "Create logical volume" to start a new partition.
After choosing the volume group you previously created, hit <Enter>.
Click "Continue" after entering "SWAP" as the LVM logical volume name.
Click "Continue" after entering a size for the SWAP LVM logical volume.
It is necessary to build an encrypted LVM logical volume SWAP.
After choosing "Finish", hit <Enter>.
The encrypted LVM logical volumes ROOT and SWAP should be created.
Select the encrypted LVM logical volume ROOT and hit <Enter>.
Press <Enter> after choosing the "Ext4 journaling file system" as the filesystem type (Use as), "/" as the filesystem's mount poin, and "Done setting up the partition".
For the encrypted LVM logical volume ROOT, the proper filesystem and mount point need to be configured.
Press <Enter> after selecting the encrypted LVM logical volume SWAP.
Press <Enter> after choosing the filesystem type (Use as) as "Swap area", then selecting "Done setting up the partition".
Press <Enter> after selecting the encrypted LVM logical volume SWAP. You can now install Debian 12 on the disk and save the changes.
Save the Changes and Continue the Debian 12 Installation
After completing the required partitioning, save the modifications to the drive and proceed with the Debian 12 installation, regardless of whether you choose to encrypt individual partitions or install the operating system on a fully encrypted disk.
Choose "Finish partitioning", write the changes to the disk, then hit <Enter> to save the changes.
Select "Yes" and then "Continue".
The encrypted disk is undergoing the installation of Debian 12. It takes some time to finish.
Boot the Installed Debian 12 on Encrypted Partitions
You will be asked to input the disk's encryption passphrase when you start up Debian 12 after it has been installed on the encrypted disk.
After entering the encryption passphrase, hit <Enter>.
Debian 12 will start up normally.
Debian 12 is installed on encrypted volumes, as you can see.
lsblk
sudo cryptsetup status sda3_crypt
FAQs to encrypted disk partitioning for Debian 12
How does encrypted disk partitioning work?
When you select encrypted disk partitioning during Debian 12 installation, the system creates an encrypted container on the specified partition. The container acts as a secure vault and stores all the data in an encrypted form. To access the data, you must provide the encryption key.
Is encrypted disk partitioning necessary?
While not mandatory, encrypted disk partitioning provides an extra layer of security. If your device contains sensitive or confidential information, encrypting your disk partitions is strongly recommended to protect your data from unauthorized access.
Can I encrypt specific partitions or the entire hard drive?
During Debian 12 installation, you can choose to encrypt specific partitions or the entire hard drive. It is possible to have a combination of encrypted and unencrypted partitions based on your requirements.
Will encrypted disk partitioning affect system performance?
Encrypting disk partitions can have a slight impact on system performance since it requires additional processing power for encryption and decryption. However, modern hardware is generally capable of handling this without noticeable performance degradation.
Can I change the encryption password/key later?
Yes, you can change the encryption password or key after the Debian 12 installation. Debian provides utilities to manage your encrypted partition, allowing you to change your password or key as needed.
Is it possible to recover data if I forget the encryption password/key?
No, if you forget the encryption password or lose the encryption key, it will be extremely difficult, if not impossible, to recover the encrypted data. It emphasizes the importance of keeping your encryption password or key in a secure location.
Can I resize encrypted disk partitions after installation?
Yes, it is possible to resize encrypted disk partitions after the Debian 12 installation. However, this process requires caution and should be done carefully to avoid data loss. Always remember to back up your data before modifying partitions.
Conclusion
We hope this tutorial helped you understand how to do Encrypted Disk Partitioning for Debian 12.
If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.