1

I have seen various guides and recommendations on web about how best to do this but nothing that clearly explains the best way and why. So I understand there is a need for part of Debian during install to be un-encrypted on its own partition to allow it to boot. Most info I have seen is call this /boot and set the boot flag. Next I believe the best approach is to create another partition out of all the rest of the disk space, encrypt this, then on top of that create a LVM and then within the LVM create my various partitions , name them , select size, and file system type. Can I include /swap in the encrypted LVM part ? Is this approach sound? If so what are the partitions I should use (this is going to be a minimal server install with a view to install as and when what I need for a dev server)? Finally how does the installer know what to put in each partition I define ?

I appreciate there are more than one question but any help and suggestions would be appreciated. If further clarification is needed please mention in the comments .

EDIT : 16/3/2010

After Richard Holloways reply I thought it relevant to add this info:

The reasons why I want to do this are to explore maximising security on any server install and set up, due to interest in the area of Computer Security and Forensics. Also I am trying to peform the task as if it being performed in an enterprise situation.

On a technical matter, once set up and configured with minimal packages and ssh this server will not physically be easy to access so I will only be entering via ssh. (Yes I know why encrypt something no one will ever be able to get their hands on? Because I can and I want to is the simple answer, but see above too).

user9517
  • 115,471
  • 20
  • 215
  • 297
ianfuture
  • 121
  • 1
  • 4
  • Contrary to popular belief, the boot flag does *not* need to be set on a Linux `/boot` partition. That flag is only used by Microsoft's MBR code to decide which partition to "chain-load" (to use the GRUB term). GRUB/LILO/etc. have more sophisticated ways to decide what to do, and a `/boot` partition typically doesn't have any code in its boot sector anyway. – Wyzard Jul 08 '12 at 15:32

2 Answers2

3

Why encrypt it at all? I am playing devil's advocate here but for a reason.

There are valid reasons to encrypt removable drives and laptops and other portable devices in case you lose them.

I suppose you could lose a server if someone stole it or gained local access to it.

For laptops and other personal machines you can type a pass phrase to enable the server to unencrypt the devices on boot or as required.

Are you able to do this on the server? If server does not require this intervention and can unencrypt the devices on boot the server is not more secure for being encrypted.

The answer is it depends on your circumstances and what you are trying to achieve. There is no rule that says you must encrypt everything and if you don't know why you are doing it I suspect you don't need to.

Based on your edit:

I would partition the disk like this:

First partition 100MB mounted on /boot as ext3

Rest of disk formated as encrypted LVM.

I then partition the LVM partition like this:

Create a volume group vg0

Create this logical volumes:

/dev/vg0/root mounted on /root as ext3 of 3GB

/dev/vg0/swap used as swpa space, twice the size of RAM

/dev/vg0/var mounted on /var as ext3 of 7GB

/dev/vg0/home mounted on /home as ext3 using the rest of the free space.

Then everything is encrypted apart from /boot.

Richard Holloway
  • 7,456
  • 2
  • 25
  • 30
1

Depends on the distribution. In general you must encrypt everything (read as: swap should be a volume in the encrypted LVM). Stuff that is not encrypted you should keep on an CD-ROM that stays only with you, or you make sure that nobody replaces it. Put password on the BIOS and boot only from CD-ROM.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83