This manual provides a step-by-step guide for resizing a root partition, creating a new partition for /boot, and encrypting the root partition on a Debian-based system. The procedure assumes a 100GB drive (/dev/vda) and is intended for users who want to secure their system by encrypting the root partition while keeping /boot on a separate, unencrypted partition.
By following this guide, you will shrink the existing root partition, allocate a new partition for /boot, and configure the system to boot from an encrypted root partition. Proper configuration of /etc/fstab and /etc/crypttab, along with updating initramfs and GRUB, will ensure a smooth boot process and secure system operation.
Please note that this can damage your VPS's files. Only perform these steps on a clean installation so as not to lose any data.
- Boot the VPS in rescue mode.
- Shrink the root partition.
- Create a new partition for /boot.
- Encrypt the root partition.
Step 1: Boot the VPS in rescue mode:
1. Shut down your VPS and boot into Rescue Mode.
2. Open the Video Display for your VPS.
3. Wait for 20 seconds after booting the rescue disk or select "Boot SystemRescue using default options"
4. After the rescue disk has finished booting, we advise you to add your ip-address to the firewall and changing the root password so that you can SSH into the rescue disk OS.
[root@sysrescue ~]# iptables -I INPUT -s [your IPv4 address]/32 -p tcp --dport 22 -j ACCEPT
[root@sysrescue ~]# passwd root
After this, SSH into the VPS, logging in using the root password you've just set up.
Step 2: Shrink the root partition.
After connecting to the VPS rescue disk using SSH, check and repair the root filesystem.
e2fsck -f /dev/vda1
Shrink the filesystem within the partition. For example, to shrink the root filesystem to 95GiB:
resize2fs /dev/vda1 95G
Next, shrink the partition:
parted /dev/vda resizepart 1 104G
Please note that this is 104 Gibibytes, not Gigabytes. As we're using a 100GB drive for this example, that is equal to around 107GiB. Lowering the size of the partition to 104GiB results in 97GB left for the vda1 partition.
Normally, you would grow the filesystem back to fit the new space after this using 'resize2fs -p /dev/vda1'. However, we will be needing the extra space later.
Step 3: Create a new partition for /boot.
1. Create the New Partition:
fdisk /dev/vda
Create a new primary partition with the command n for 'new' followed by the p for 'primary'.
Fill all the following steps with the defaults to create a new partition filling the space we created earlier. After that, enter w to write the new partition to the disk.
2. Format and label the new partition:
mkfs.ext4 -L BOOT /dev/vda2
3. Check the filesystem on both partitions to verify everything's still okay.
e2fsck -f /dev/vda1
e2fsck -f /dev/vda2
4. Mount both partitions temporarily
mkdir /mnt/root
mkdir /mnt/boot
mount /dev/vda1 /mnt/root
mount /dev/vda2 /mnt/boot
5. Copy the contents of your current '/boot' directory to the new partition:
rsync -avh /mnt/root/boot/ /mnt/boot/
6. Update /etc/fstab for your VPS (not the fstab for the rescuedisk!):
vim /mnt/root/etc/fstab
Add an entry for the new /boot partition using its label (press I to turn on 'insert' mode):
LABEL=BOOT /boot ext4 defaults 0 2
Save and close the file. (Esc to disable insert mode followed by :wq to write and quit)
7. Fix the grub installation:
update-grub
gub-mkconfig -o /boot/grub/grub.cfg
grub-install --boot-directory=/mnt/boot /dev/vda
8. After this, reboot the VPS to verify it boots normally into the OS using the new setup.
Step 4: Encrypting the root partition.
1. Update the grub config file to prepare for using LUKS encryption.
vim /etc/default/grub
Add the following to the file:
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/vda1:luks-vgroot"
GRUB_PRELOAD_MODULES="luks cryptodisk lvm"
Save and close the file.
2. Install packages needed for booting from a LUKS-encrypted device and update Grub again:
apt install -y cryptsetup-initramfs lvm2
update-grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --boot-directory=/boot /dev/vda
sudo apt reinstall grub-common
3. Reboot into rescue mode and, just as last time, change the root password and add your IPv4 address to the firewall from the video display so you can SSH into the VPS rescuedisk.
4. SSH into the VPS rescuedisk.
5. Shrink the filesystem again as it may have automatically reset:
resize2fs /dev/vda1 95G
6. Encrypt the vda1 partition with your own password:
cryptsetup reencrypt --encrypt --reduce-device-size 16M /dev/vda1
7. Open the newly encrypted vda1 with your password:
cryptsetup open /dev/vda1 recrypt
8. Check the filesystem to make sure everything is okay:
e2fsck -f /dev/mapper/recrypt
9. Resize the filesystem to fill the partition again:
resize2fs /dev/mapper/recrypt
10. Mount the newly encrypted partition
mount /dev/mapper/recrypt /mnt
11. Remove and re-create the /boot folder
rm -rf /mnt/boot
mkdir /mnt/boot
12. Mount /boot and other vitual filesystems:
mount /dev/vda2 /mnt/boot
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
13. Retrieve the UUID's for all partitions
blkid
14. Chroot into the new environment:
chroot /mnt
15. Configure /etc/crypttab
recrypt UUID=<UUID_of_vda1> none luks
As we have already updated fstab in a previous step, all we need to do is update initramfs and grub to include the LUKS configuration.
16. Update initramfs:
update-initramfs -u
17: Update GRUB:
update-grub
18: exit the chroot environment
exit
19: unmount all filesystems:
umount -R /mnt
20: Reboot the system to boot back into your VPS without the rescue disk:
reboot
As of now, you'll have to enter your password using the video display every time to unlock the disk.
Congratulations! You've just encrypted and existing installation of Debian!
Comments
Please sign in to leave a comment.