Boot from a pendrive with an autonomous debian on it. This can be done following some instructions i left earlier over here
This is the main difference (apart of not using LVM, and using the partition table) with the tutorial found here
In there another installation of debian is needed beforehand in the same drive.apt-get install loop-aes-utils loop-aes-testsuite module-assistant module-assistant prepare m-a a-i loop-aesstatically-linked gpg
apt-get install devscripts gpm apt-get build-dep gnupg apt-get clean gpg --gen-key mkdir -p builds/gnupg cd builds/gnupg apt-get source gnupg
The official loop-aes README in this point explains how to copy the non encrypted partition into the encrypted partition on the fly using aespipe. As we are going to reinstall everything, we do not need that. But first we wipe the entire hard drive with random looking data:
dd if=/dev/urandom of=/dev/sda bs=8225280 count=30401
The number after the blocksize (bs=) parameter and the count of sectors can be retrieved with an fdisk call:
# fdisk -l /dev/sda | head -4 Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 heads, 63 sectors/track, 30401 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes
Launch fdisk and create the root partition now, unless you want to use the entire drive as root partition, without partition tables whatsoever
head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \
| gpg --symmetric -a > /boot/keyfile.gpg
It takes quite a lot of mouse/keyboard movement to fill the kernel entropy
pool for /dev/random to give the amount of random bytes necessary for this,
so wiggle the mouse around and type in another tty if possible
It is convenient to store a copy of this file in another pendrive or anywhere else, just in case the original pendrive breaks.
losetup -e AES256 -K /boot/keyfile.gpg /dev/loop1 /dev/(you are asked for the key) mkfs.ext2 /dev/loop1 # or whatever fs you like mount /dev/loop1 /mnt
Now we debootstrap debian into the /mnt/ directory
debootstrap --arch i386 squeeze /mnt http://ftp.fi.debian.org/debianChroot into the directory and change some imprescindible things
mount -o bind /dev/ /mnt/dev mount -o bind /proc/ /mnt/proc mount -o bind /sys/ /mnt/sys chroot /mnt apt-get install loop-aes-utils passwd root # without loop-aes-utils the rootfilesystem will not be remounted # without a root password you're not going to be able to reboot :) # install here any driver/etc you need to have networking later # on if needed exit umount /mnt/dev /mnt/proc /mnt/sys umount /mnt
Add a line to /etc/fstab _of the pendrive_ (not on the actual / root partition), stating the loop-aes stance for the root device:
/dev/sda2 / ext2 loop=/dev/loop1,encryption=AES256,gpgkey=/boot/keyfile.gpg 0 1Backup your old initrd
cp /boot/initramfs.img* /boot/initramfs.img.pendriveThis will allow you to boot again the pendrive with it's own debian. Otherwise, the new pendrive will try to loopaes-decrypt the root partition and the pendrive's debian will never load properly
Update-initramfs as follows:
update-grub update-initramfs -t -u -k `uname -r`
As the pendrive had a working grub on it, you only need to specify the new parameters in the grub commandline
Simple, huh? I leave as an exercise for the reader how to reconfigure the grub menu so you have two pretty entries for the 'autonomous usb key' and for the new filesystem.root (hd0,1) linux /boot/vmlinuz-*wicheverversionyouhave* root=/dev/*encryptedrootdevice* initrd /boot/initrd.img-*wicheverversionyouhave* boot