How to Do Encrypted Disk Partitioning for Debian 12

Introduction

Before we begin talking about how to do encrypted disk partitioning for Debian 12, let's briefly understand – What is disk partitioning?

Disk partitioning is the process of dividing a hard drive into distinct sections or partitions, each functioning as a separate storage unit. These partitions enhance organization, making it easier to manage data and install multiple operating systems on one device.

Disk partitioning optimizes storage space usage, enhances system performance, and allows for better data protection. By carefully allocating disk space, users can prevent data loss and improve computer efficiency.

In this tutorial, you will understand how to do encrypted disk partitioning for Debian 12. We will also address a few FAQs on how to do encrypted disk partitioning for Debian 12.

Things to Know Before Encrypting the Partitions for Debian 12

As of this writing, if you don't have a separate, unencrypted /boot and EFI partition, Debian 12 won't boot from an encrypted ROOT (/) partition. You need to build an encrypted SWAP partition, an unencrypted EFI boot partition, and an unencrypted /boot partition if you plan to install Debian 12 on a completely encrypted disk.

Encrypt Specific Partitions from the Debian 12 Installer

For the Debian 12 installation, we construct a standard disk partitioning configuration.

Assume that you wish to encrypt the partitions labeled /home (SDA disk partition #3) and swap (SDA disk partition #4).

Encrypting and swapping the partition

Choose "Configure encrypted volumes" from the Manual disk partitioning window in order to set up the encrypted volumes from the Debian 12 installation.

Manual Disk Partitioning

After selecting "Yes", click "Continue".

Partition Disk

After choosing "Create encrypted volumes", hit <Enter>.

Create encrypted volumes

Click "Continue" after selecting the partitions you wish to encrypt (in this case, sda3 and sda4).

Selecting the devices to be encrypted

One by one, you will need to set up the encryption for every partition you already chose.

At the top should be the disk (sda disk in this case) and partition number (partition #3 in this case) that you are encrypting.

Select "Encryption" and hit <Enter> to choose an encryption technique for the partition.

Encryption method

After choosing the encryption algorithm to be used for this partition, hit <Enter>. AES (Advanced Encryption Standard), Blowfish, Serpent, and Twofish are the encryption methods that are currently supported.

Select Encryption Algorithm

Choose the "Key size" option and hit <Enter> to choose a key size for the encrypted partition.

Key Size

Press <Enter> after choosing your preferred encryption algorithm's key size from the list.

The encryption will be more secure the larger the key size. The time (or processing power) required to decrypt an encrypted file increases with the size of the key.

Select Key Size

Choose the "IV algorithm" and hit <Enter> to choose an Initialization Vector (IV) algorithm for the encryption.

IV Algorithm

Press <Enter> after choosing your preferred initialization vector generating algorithm from the list.

Select IV Algorithm

Choose the desired encryption key type by selecting the "Encryption key" and pressing <Enter>.

Encryption Key

Press <Enter> after choosing an encryption key type from the list.

Passphrase: If you want to use a password as the encryption key, choose this option. Every time you turn on your Debian 12 system, you will be prompted to provide it. The encrypted disks will be unlocked using the password.

Random Key: If you would like to utilize an encryption key that is created at random, select this option. When booting Debian 12, you won't be prompted to provide the encryption key. Rather, the encryption key will be produced at random and read from a secured file.

Select Encryption Key

Toggle the "Erase data" switch to "yes" if you wish to remove every piece of data from the partition.

Press <Enter> after selecting "Erase data" to turn it on or off.

Erase data

When you're finished, hit <Enter> after choosing "Done setting up the partition".

Bootable Flag

The encryption settings for the other partitions can be set up similarly.

Simply choose the encryption settings that you want for the partition, click "Done setting up the partition", then hit <Enter>.

Done setting up

After selecting "Finish", hit <Enter>.

Finish

The data on the partition (sda disk partition #3) that you chose for encryption will be prompted for deletion.

After choosing "Yes", click "Continue".

Erasing the partition (sda disk partition #3)

The data of the partition (sda disk partition #3) is currently being deleted in order to encrypt it. Depending on how big the partition is, it takes some time to finish.

The data of the partition (sda disk partition #3) to be encrypted is being erased.

One by one, you will be prompted to delete the contents from each partition you choose to encrypt.

Simply choose "Yes" and click "Continue" in the same manner as before.

Erasing the partition (sda disk partition #4)

The data of the partition (sda disk partition #4) is currently being deleted in order to encrypt it. Depending on how big the partition is, it takes some time to finish.

The data of the partition (sda disk partition #4) to be encrypted is being erased.

You will be prompted to provide an encryption passcode for each partition you choose for encryption after the data on all of the partitions has been deleted.

Click "Continue" after entering the encryption passphrase for the partition (in this case, SDA drive partition #3).

Passphrase to encrypt, partition #3 (sda)

Click "Continue" after entering the encryption passphrase for the partition (in this case, sda disk partition #4).

Passphrase to encrypt, partition #4 (sda)

Encrypt the selected partitions.

The selected partitions should be encrypted.

It is possible that the encrypted partition's filesystem and mount point configuration will be lost. As a result, you must update the mount point and filesystem to reflect the encrypted disks.

Press <Enter> after selecting the encrypted partition to modify the filesystem and mount point.

Reconfiguring File System

The filesystem for this partition is chosen appropriately; the mount point is incorrect.

Thus, choose the "Mount point" and hit <Enter>.

Reconfigure Mount point

Press <Enter> after choosing the encrypted partition's right mount location.

Reconfiguring Mount point

When you're finished, hit <Enter> after choosing "Done setting up the partition".

Done setting up the partition

For the encrypted partition, the proper mount point needs to be specified.

Encrypted Volume(sda3_crypt)

Press <Enter> after choosing the second encrypted partition in the same manner.

Reconfiguring File System

The filesystem type for this partition needs to be modified because it was a swap partition.

After choosing "Use as", hit <Enter>.

Use as

After choosing "Swap area", hit <Enter>.

Swap area

After clicking “Done setting up the partition” and press <Enter>.

Done setting up

Configuring an encrypted swap partition is necessary. You can now install Debian 12 on the disk and save the changes.

Encrypted Volume(sda4_crypt)

Partition the Disks to Install Debian 12 on Fully Encrypted Disks

You must first create an EFI boot partition and a /boot partition on the disk in order to install Debian 12 on a completely encrypted drive. After that, you must use LVM to manage the encrypted disk and encrypt the remaining FREE SPACE. Lastly, you can use LVM to create encrypted partitions for the SWAP and ROOT, and then install Debian 12 on them.

To partition a disk manually, choose "Manual" and hit <Enter>.

Manual Disk Partitioning

Every disk that is installed on your computer will be visible to you.

Press <Enter> after selecting a disk to start a new partition table.

Select to create a new partition table on a disk

Select "Yes" and "Continue".

A new partition table will be made.
In order to generate a fresh partition on the drive, choose "FREE SPACE" and hit <Enter>.

Create a new partition table on a disk

Select “Create a new partition” and press <Enter>.

The EFI boot partition will be this. Enter "512 MB" as the partition size and press "Continue" after that.

Partition Size

After choosing "Beginning", hit <Enter>.

Location for new partition

Press <Enter> after choosing "Done setting up the partition" and "EFI System Partition" as the filesystem type (Use as).

EFI System Partition

Creating an EFI boot partition is necessary.

Press <Enter> after choosing "FREE SPACE" to create a new partition.

Select “Create a new partition” and press <Enter>.

Create new partition

This partition will serve as the /boot. Enter "1 GB" as the partition size and press "Continue" after that.

Partition Size

Select “Beginning” and hit <Enter>.

Location for new partition

Press <Enter> after choosing the "Ext4 journaling file system" as the filesystem type (Use as), choosing "Done setting up the partition", and selecting /boot as the filesystem's mount point.

Reconfiguration

A /boot partition should be created.

Boot Partition

Press <Enter> after choosing "Configure encrypted volumes" to encrypt the remaining FREE SPACE.

Configure encrypted volumes

Select “Yes” and then “Continue”.

EFI System Partiton

Select “Create encrypted volumes” and hit <Enter>.

Done setting up the partition

Select the remaining FREE SPACE and press on "Continue".

Press <Enter> after configuring the disk's encryption parameters and choose "Done setting up the partition".

Done setting up the partition

Select "Yes" and hit "Continue".

Select "Finish" and press <Enter>.

Select "Yes" and then "Continue".

The partition's data is being deleted. Depending on the size of the partition, it takes some time to finish.

Erasing Data, partition #3(sda)

Enter an encryption passcode and select "Continue" once the partition's data has been deleted.

Passphrase to encrypt

An encrypted partition should be created. Choose "Configure the Logical Volume Manager" and hit to set up LVM on the encrypted partition.

Configure the Logical Volume Manager

Select "Yes" and then "Continue".

Select "Create volume group" and hit <Enter>.

Volume Group

Type the name of the volume group and click on "Continue".

Create volume group name

Click "Continue" after choosing the encrypted partition from the list.

Select "Yes" and then "Continue".

Select "Create logical volume" and hit <Enter>.

After choosing the volume group you previously created, hit <Enter>.

Click "Continue" after entering "ROOT" as the LVM logical volume name.

Click "Continue" after entering the size of the ROOT LVM logical volume.

You should establish an encrypted LVM logical volume called ROOT.

Press <Enter> after choosing "Create logical volume" to start a new partition.

After choosing the volume group you previously created, hit <Enter>.

Click "Continue" after entering "SWAP" as the LVM logical volume name.

Click "Continue" after entering a size for the SWAP LVM logical volume.

It is necessary to build an encrypted LVM logical volume SWAP.

After choosing "Finish", hit <Enter>.

The encrypted LVM logical volumes ROOT and SWAP should be created.

Select the encrypted LVM logical volume ROOT and hit <Enter>.

Press <Enter> after choosing the "Ext4 journaling file system" as the filesystem type (Use as), "/" as the filesystem's mount poin, and "Done setting up the partition".

For the encrypted LVM logical volume ROOT, the proper filesystem and mount point need to be configured.

Press <Enter> after selecting the encrypted LVM logical volume SWAP.

Press <Enter> after choosing the filesystem type (Use as) as "Swap area", then selecting "Done setting up the partition".

Press <Enter> after selecting the encrypted LVM logical volume SWAP. You can now install Debian 12 on the disk and save the changes.

Save the Changes and Continue the Debian 12 Installation

After completing the required partitioning, save the modifications to the drive and proceed with the Debian 12 installation, regardless of whether you choose to encrypt individual partitions or install the operating system on a fully encrypted disk.

Choose "Finish partitioning", write the changes to the disk, then hit <Enter> to save the changes.

Select "Yes" and then "Continue".

The encrypted disk is undergoing the installation of Debian 12. It takes some time to finish.

Installing Base System

Boot the Installed Debian 12 on Encrypted Partitions

You will be asked to input the disk's encryption passphrase when you start up Debian 12 after it has been installed on the encrypted disk.

After entering the encryption passphrase, hit <Enter>.

Debian 12 will start up normally.

Debian 12 is installed on encrypted volumes, as you can see.

lsblk
sudo cryptsetup status sda3_crypt

FAQs to encrypted disk partitioning for Debian 12

How does encrypted disk partitioning work?

When you select encrypted disk partitioning during Debian 12 installation, the system creates an encrypted container on the specified partition. The container acts as a secure vault and stores all the data in an encrypted form. To access the data, you must provide the encryption key.

Is encrypted disk partitioning necessary?

While not mandatory, encrypted disk partitioning provides an extra layer of security. If your device contains sensitive or confidential information, encrypting your disk partitions is strongly recommended to protect your data from unauthorized access.

Can I encrypt specific partitions or the entire hard drive?

During Debian 12 installation, you can choose to encrypt specific partitions or the entire hard drive. It is possible to have a combination of encrypted and unencrypted partitions based on your requirements.

Will encrypted disk partitioning affect system performance?

Encrypting disk partitions can have a slight impact on system performance since it requires additional processing power for encryption and decryption. However, modern hardware is generally capable of handling this without noticeable performance degradation.

Can I change the encryption password/key later?

Yes, you can change the encryption password or key after the Debian 12 installation. Debian provides utilities to manage your encrypted partition, allowing you to change your password or key as needed.

Is it possible to recover data if I forget the encryption password/key?

No, if you forget the encryption password or lose the encryption key, it will be extremely difficult, if not impossible, to recover the encrypted data. It emphasizes the importance of keeping your encryption password or key in a secure location.

Can I resize encrypted disk partitions after installation?

Yes, it is possible to resize encrypted disk partitions after the Debian 12 installation. However, this process requires caution and should be done carefully to avoid data loss. Always remember to back up your data before modifying partitions.

Conclusion

We hope this tutorial helped you understand how to do Encrypted Disk Partitioning for Debian 12.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.