Installing Debian via GRML through debootstrap with LUKS and LVM: A Modern and Secure Approach

Introduction

🔐 Setting up Debian via GRML offers a powerful way to customize your installation while ensuring top-notch security. This method gives you full control over the process, allowing you to build a system tailored to your needs from the ground up. In this guide, we'll explore the steps involved in setting up Debian on an encrypted LVM using these tools. Get ready for a journey into the art of building a secure Linux system! 🚀

What You'll Need

Before diving in, make sure you have the following:

• A GRML live environment. You can download it from grml.org.
• A stable internet connection for debootstrap.
• A target machine or virtual machine with at least 1 CPU, 1 GB of RAM, and 20 GB of storage.

💡 Why GRML? GRML is a powerful live environment packed with tools that make it perfect for advanced installations like this. It's lightweight, flexible, and designed with system administrators in mind.

Step 1: Booting into GRML

🎯 Start by booting into the GRML live environment from your USB stick or ISO. Once you're in, you'll be greeted by a terminal. Don’t worry; this is where all the magic happens.

Prepare Your Disks

💾 Identify your target disk using lsblk or fdisk:

lsblk

For this example, we'll assume your target disk is /dev/sda.

Partition the Disk:

1. Use fdisk to create a new GPT partition table:

   fdisk /dev/sda

2. Create the following partitions:
   • A small EFI system partition (e.g., 512 MB, type EFI).
   • A larger partition for LUKS and LVM (rest of the disk).

Don’t forget to set the EFI partition's type to EFI System.

Step 2: Setting Up LUKS Encryption

🔒 Encrypting your system with LUKS ensures your data is secure, even if the physical disk is stolen.

1. Initialize LUKS on the second partition:

   cryptsetup luksFormat /dev/sda2

   Type "YES" when prompted, and set a strong passphrase. 🧠

2. Open the encrypted volume:

   cryptsetup open /dev/sda2 cryptroot

   This maps the encrypted partition to /dev/mapper/cryptroot.

Step 3: Setting Up LVM

📦 Logical Volume Management (LVM) provides flexibility by allowing you to resize or add volumes without major headaches.

1. Create a physical volume:

   pvcreate /dev/mapper/cryptroot

2. Create a volume group:

   vgcreate debian-vg /dev/mapper/cryptroot

3. Create logical volumes:

   • Root volume:

     lvcreate -L 15G -n root debian-vg

   • Swap volume:

     lvcreate -L 2G -n swap debian-vg

   • Home volume:

     lvcreate -l 100%FREE -n home debian-vg

Step 4: Formatting and Mounting

🛠️ With your logical volumes ready, it’s time to format them:

1. Format the EFI partition:

   mkfs.vfat /dev/sda1

2. Format the logical volumes:

   • Root:

     mkfs.ext4 /dev/debian-vg/root

   • Home:

     mkfs.ext4 /dev/debian-vg/home

   • Swap:

     mkswap /dev/debian-vg/swap

3. Mount the filesystems:

   mount /dev/debian-vg/root /mnt
   mkdir /mnt/home
   mount /dev/debian-vg/home /mnt/home
   mkdir /mnt/boot/efi
   mount /dev/sda1 /mnt/boot/efi

Step 5: Installing Debian with debootstrap

📦 debootstrap is a lightweight tool for installing Debian from scratch.

1. Install the base system:

   debootstrap stable /mnt http://deb.debian.org/debian/

2. Chroot into the new system:

   for _dr in proc sys dev dev/pts run; do mount --bind /${_dr} /mnt/${_dr}; unset _dr; done
   chroot /mnt bash

3. Configure basic settings:

   • Set the hostname:

     echo "mydebian" > /etc/hostname

   • Configure /etc/fstab for your partitions. For example:

     echo "/dev/mapper/debian--vg-root / ext4 defaults 0 1" >> /etc/fstab
     echo "/dev/mapper/debian--vg-home /home ext4 defaults 0 2" >> /etc/fstab
     echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /etc/fstab

   • Set up /etc/crypttab to unlock the encrypted volume on boot:

     echo "cryptroot UUID=$(blkid -s UUID -o value /dev/sda2) none luks" >> /etc/crypttab

   • Install a kernel and bootloader:

     apt update
     apt install linux-image-amd64 grub-efi sudo openssh-server
     grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian
     update-grub

   • Set a root password:

     passwd

   • Optionally, create a user account for daily operations:

     adduser myuser
     usermod -aG sudo myuser

4. Exit the chroot and unmount everything:

   • Exit the chroot environment:

     exit

   • Unmount all mounted filesystems:

     for _dr in proc sys dev/pts dev run; do umount /mnt/${_dr}; unset _dr; done

     ---

Step 6: Reboot and Finalize

🌟 Reboot the system, remove the GRML media, and enter your LUKS passphrase when prompted. After booting, fine-tune your installation by:

• Configuring firewall settings with ufw.
• Setting up regular backups for your encrypted system.

Conclusion

🎉 Congratulations! You've successfully installed Debian using GRML. This setup provides not only flexibility and performance but also robust security for your data. Take a moment to appreciate your work; you’ve built something powerful and secure from scratch. 🚀