s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 17:43:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
privacy-guides/how-to-configure-hardened-debian-server/misc/how-to-install-luks-encrypted-debian-operating-system-using-bootable-installer/README.md
Sun Knudsen 59d8aba7a8
Implemented pinned
2023-09-06 19:23:39 -04:00

176 lines
6.6 KiB
Markdown
Raw Blame History

<!--
Title: How to install LUKS-encrypted Debian operating system using bootable installer
Description: Learn how to install LUKS-encrypted Debian operating system using bootable installer.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Reviewers:
Publication date: 2022-03-20T14:16:12.705Z
Listed: true
Pinned:
-->
# How to install LUKS-encrypted Debian operating system using bootable installer
## Requirements
- Debian-compatible computer with [AES instruction set](https://en.wikipedia.org/wiki/AES_instruction_set)
- Debian bootable installer (learn how to create one on Debian-based operating system [here](../how-to-create-debian-bootable-installer-on-debian-based-operating-system) or on macOS [there](../how-to-create-debian-bootable-installer-on-macos))
## Guide
### Step 1: insert bootable installer
### Step 2: disable [Compatibility Support Module (CSM)](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#CSM_booting) (also known as “Legacy Support”) and enable [Secure Boot](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot)
> Heads-up: step is non-deterministic given manufacturers use different BIOS keys to boot to BIOS and menus to set [UEFI](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) features.
> Heads-up: on some computers, a “Fast Boot” feature is enabled making it hard to enter BIOS keys… disconnecting disk temporarily disables “Fast Boot”.
On HP EliteDesk 800 G2 Mini, press <kbd>F10</kbd> when HP logo appears, go to “Advanced” tab, select “Secure Boot Configuration”, press <kbd>enter</kbd>, select “Legacy Support Disable and Secure Boot Enable” under “Configure Legacy Support and Secure Boot”, press <kbd>F10</kbd>, when asked to save changes, select “Yes” and, finally, press <kbd>enter</kbd>.
### Step 3: boot to bootable installer
> Heads-up: step is non-deterministic given manufacturers use different BIOS keys and default boot orders.
On HP EliteDesk 800 G2 Mini, press <kbd>F9</kbd> when HP logo appears, select bootable installer device and, finally, press <kbd>enter</kbd>.
### Step 4: start installation
Select “Install” and press <kbd>enter</kbd>.
### Step 5: select language
Select language and press <kbd>enter</kbd>.
### Step 6: select location
Select country, territory or area and press <kbd>enter</kbd>.
### Step 7: configure keyboard
Select keymap and press <kbd>enter</kbd>.
### Step 8: configure network
#### Set hostname
Enter hostname and press <kbd>enter</kbd>.
#### Set domain
Enter domain (typically left blank) and press <kbd>enter</kbd>.
### Step 9: set up users and passwords
#### Set root password
> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
Enter root password, press <kbd>enter</kbd>, re-enter password and, finally, press <kbd>enter</kbd>.
#### Set full name of new user
Enter full name of new user and press <kbd>enter</kbd>.
#### Set username of new user
Enter account username (typically left as-is) and press <kbd>enter</kbd>.
#### Set password of new user
> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
Enter user password, press <kbd>enter</kbd>, re-enter password and, finally, press <kbd>enter</kbd>.
### Step 10: configure clock
Select time zone and press <kbd>enter</kbd>.
### Step 11: partition disks
#### Set partitioning method
Select “Guided - use entire disk and set up encrypted LVM” and press <kbd>enter</kbd>.
#### Set disk to partition
> Heads-up: data on selected device will be permanently destroyed.
Select device and press <kbd>enter</kbd>.
#### Set partitioning scheme
Select “All files in one partition (recommended for new users)” and press <kbd>enter</kbd>.
When asked to write changes to disk, select “Yes” and, finally, press <kbd>enter</kbd>.
#### Overwrite encrypted partition
> Heads-up: can be cancelled at the expense of slightly weaker encryption.
#### Set encryption passphrase
> Heads-up: truly random 5-word passphrase or 12-character password (or longer) recommended.
> Heads-up: can be set to user password at the expense of reduction in security.
Enter encryption passphrase, press <kbd>enter</kbd>, re-enter passphrase and, finally, press <kbd>enter</kbd>.
#### Set volume group size
Enter amount (typically left as-is) and press <kbd>enter</kbd>.
#### Delete “swap” logical volume
Select “Configure the Logical Volume Manager” and press <kbd>enter</kbd>.
When asked to write changes to disk, select “Yes” and press <kbd>enter</kbd>.
Select “Delete logical volume”, press <kbd>enter</kbd>, select “root” and, finally, press <kbd>enter</kbd>.
Select “Delete logical volume”, press <kbd>enter</kbd>, select “swap_1” and, finally, press <kbd>enter</kbd>.
Select “Create logical volume”, press <kbd>enter</kbd>, select volume group, press <kbd>enter</kbd>, enter “root” as “Logical volume name”, press <kbd>enter</kbd>, enter “Logical volume size” (typically left as-is) and, finally, press <kbd>enter</kbd>.
Select “Finish” and press <kbd>enter</kbd>.
Select “LVM” logical volume “#1”, press <kbd>enter</kbd>, select “Use as”, press <kbd>enter</kbd>, select “Ext4 journaling file system”, press <kbd>enter</kbd>, select “Mount point”, press <kbd>enter</kbd>, select “/ - the root file system”, press <kbd>enter</kbd>, select “Done setting up the partition” and, finally, press <kbd>enter</kbd>.
![Partitions](./partitions.png)
Select “Finish partitioning and write changes to disk” and press <kbd>enter</kbd>.
When “Do you want to return to the partitioning menu?” warning is displayed, select “No” and, finally, press <kbd>enter</kbd>.
When “Write the changes to disks” prompt is displayed, select “Yes” and, finally, press <kbd>enter</kbd>.
### Step 12: configure package manager
#### Set archive mirror country
Select Debian archive mirror country and press <kbd>enter</kbd>.
#### Set archive mirror
Select Debian archive mirror and press <kbd>enter</kbd>.
#### Set proxy
Enter HTTP proxy (typically left blank) and press <kbd>enter</kbd>.
### Step 13: configure popularity-contest
Select “No” and press <kbd>enter</kbd>.
### Step 14: select software
![Software selection](./software-selection.png)
Using <kbd>space bar</kbd>, disable everything except “SSH server”, select “SSH server” and, finally, press <kbd>enter</kbd>.
### Step 15: finish installation
Remove bootable installer from computer and press <kbd>enter</kbd>.
👍
Reference in New Issue View Git Blame Copy Permalink