Encrypted Persistent Filesystem in Live Debian

2019-12-09 Photo by Chepe Nicoli on Unsplash Photo by Chepe Nicoli on Unsplash

Enabling cryptsetup integration in Debian live-build is not as simple as it looks.

In the past few months, I really struggled to make my persistent storage encrypted. Every time I rebuilt my system and tested it, dm-crypt module missing error always pops-out during boot-up. Finally, I have able to make it work. Here's how I fix it.

Initially, including these packages will just easily make the LUKS integration works.

cryptsetup
cryptsetup-run
cryptsetup-bin
cryptsetup-initramfs

Installing cryptsetup is indicated on the live-build manual on Debian site. I also include cryptsetup-initramfs, since it's probably required. Having crypto module in initramfs is a must, since decrypting the volumes would happen in early stage of boot-up.

Unfortunately, once you built the image and test it, it would not work.

After testing for several months, I decided to check the documentation of cryptsetup-initramfs, and the hooks during chroot build. Upon checking, I noticed these two configuration files.

root@debian:~# find /etc -name *cryptsetup*
/etc/cryptsetup-initramfs
/etc/initramfs-tools/conf.d/cryptsetup

The /etc/initramfs-tools/conf.d/cryptsetup file was generated by the 0030 hook. It seems fine, but I noticed cryptsetup-initramfs. Upon checking, there is a separate configuration about the same settings as cryptsetup, but the CRYPTSETUP was not set.

root@debian:~# cat /etc/cryptsetup-initramfs/conf-hook
#
# Configuration file for the cryptroot initramfs hook.
#

#
# CRYPTSETUP: [ y | n ]
#
# Add cryptsetup and its dependencies to the initramfs image, regardless
# of _this_ machine configuration.  By default, they're only added when
# a device is detected that needs to be unlocked at initramfs stage
# (such as root or resume devices or ones with explicit 'initramfs' flag
# in /etc/crypttab).
# Note: Honoring this setting will be deprecated in the future.  Please
# uninstall the 'cryptsetup-initramfs' package if you don't want the
# cryptsetup initramfs integration.
#

# CRYPTSETUP=

Since I have nothing more to lose, I set the cryptsetup-initramfs settings by overwriting the configuration via includes.chroot. I have make sure that CRYPTSETUP=y is in the file.

I have proceed to rebuilding it again, and I noticed that the weird cryptsetup error during initramfs compilation process is gone. Seems good, right?

I download the new image, burn it to my flashdrive, setup persistence storage, then boot. Guess what? The cryptsetup prompt me to my LUKS password. The thing was able to work finally!

Findings:

If you are planning to use encrypted persistent storage, always enable the CRYPTSETUP in cryptsetup-initramfs settings. It will make your life easier. You can enable it via hooks, or overwrite it with your custom includes.chroot file. For me, I just use the includes.chroot option to reduce clutter in my hooks.

Here's the reference for this.

config/includes.chroot/etc/cryptsetup-initramfs/conf-hook

 

© moe.ph Copyright 2020. All Rights Reserved.