background image

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with

a USB Flash Drive Boot Key

As was stated earlier, if you have any sensitive files you may be worried about losing, please 

back them up before beginning this process if you haven't already.  While it is unlikely that 
anything bad will happen, since you will be resizing an existing partition on your hard drive, there is a 
chance of data loss.  With that out of the way, let's begin.

1. When prompted to select a “partitioning method.” Choose “manual” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

2. First, you need to prepare the USB Flash Drive to use as the Boot Key Disk in addition to 

making a note. In the image below, the USB Flash Drive used as the Boot Key Disk as an 
example is displayed as “SCSI5 (0,0,0) (sdc)” and the internal hard drive where the Debian root
system will be installed is “SCSI1 (0,0,0) (sda).”  Of particular importance is the device name 
of the flash drive which will be your Boot Key Disk.  In the example below, it is “sdc.” 
However, it may be different on your computer. Look for the drive that matches the size of your
intended USB boot key to make your selection. Make note of your USB Flash Drive's device 
name and save it for later
You will need to know it later in this tutorial. Select the flash 
drive you desire to use as the Boot Key Disk and press “enter.”

NOTE: If you are installing Debian from a bootable USB drive, you must use a USB drive 
that is different than your Debian Installation media drive.
  Otherwise, if you attempt to 
install Debian on your Debian Installation media drive, the installation process will eventually 
fail.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

3. On the next screen that appears, choose “yes” and press “enter.” 

4. On the next screen, you will now see an entry labeled as “FREE SPACE.”  Select that entry and 

press “enter.”

5. On the next screen, choose “Create a new partition” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

6. In the next screen, you will be asked to choose a new partition size. You can accept what is 

already selected by the installer.  Simply press “enter” to continue.

7. The next screen will ask you to choose the “type for the new partition.”  Choose “Primary” and 

press “enter.”

8. The next screen is for choosing your partition settings.  There are many options here. However, 

in this step, you only need to concern yourself with one. You need to change the mount point to 
“/boot.” So, choose “Mount point” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

9. On the next screen, choose “/boot – static files of the boot  loader” and press “enter.”

10. On the next screen, choose “Done setting up the partition” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

11. In the next step, you will begin the process of resizing the partition on your internal hard drive 

so you can create an encrypted partition for the Debian operating system.  In this tutorial, the 
internal hard drive is “sda.” On your computer, the device name for your internal hard drive 
may be different. You may already have a number of partitions residing on “sda.”  Choose the 
largest one and shrink it by the size you wish to allow for Debian. However, before doing this, 
make sure there is enough free space on the drive to allow you to shrink it.
  Select the drive
to resize and press “enter.”

12. On the next screen, select the “resize the partition” option and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

13. On the next screen, choose “yes” and press “enter.”

14. On the next screen, you will be prompted to enter a new partition size.  64 gigabytes should be 

sufficient for your purposes.  At a minimum, use 32 gigabytes of space.  However, if you wish
to make it larger than 64 gigabytes and have the space, feel free to do so.  In the example below,
64 gigabytes is chosen for what will be our encrypted operating system disk.  Since the 
maximum size of the disk in the example is 532.9 GB, subtracting 64 GB results in 468.9 GB.  
Use the same math to determine what you should type in the field for the new partition size and 
press “enter” when done.  This process may take a bit of time.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

15. On the next screen, you will see a new entry marked “FREE SPACE” under (sda) with the size 

you chose for your encrypted disk. Select it and press “enter.”

16. On the next screen, select “Create a new partition” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

17. On the next screen, the maximum size for the disk will already be selected.  Press “enter” to 

continue.

18. On the next screen, select “Logical” and press “enter.”

19. On the next screen, we need to set this partition to be used for encryption.  Select the “Use as: 

Ext4 journaling file system” entry and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

20. On the next screen, choose “physical volume for encryption” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

21. This step is optional. In the next screen, there is an option to “erase data” which is set to “yes” 

by default.  If you choose to erase data, the installer will overwrite the full partition with 
pseudo-random data.  If you want the tightest security, this is a wise step since it will be even 
more difficult for someone who has possession of your hard drive to successfully use forensics 
to decode it.  However, this process can take a very long time. To skip erasing data, select 
“Erase data:” and press “enter.”  The option will change to “no.”  If you wish to erase data, skip 
this step and proceed to step 22.

22. In this step, select “done setting up the partition” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

23. On the next screen, select “configure encrypted volumes” and press “enter.”

24. On the next screen, choose “yes” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

25. On the next screen, select “finish” and press “enter.”

26. If you opted to “erase data” when you set up the encrypted partition in step 21, you will be 

asked again if you want to erase the data.  Choose “yes” if you do and press “enter.” This 
process can take hours.  If you opted to not erase data, this screen will not appear and you can 
continue to step 27. 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

27. On the next screen, you will be prompted for your encryption passphrase.  It is imperative that

you choose a very strong passphrase! Otherwise, encrypting your hard drive will simply 
amount to a waste of time!
  As was discussed earlier in step 13 of chapter 1D, an 8 character 
password is never a good passphrase. Since the Debian Installer is making use of the cryptsetup 
program and the LUKS encryption system, the following breakdown of the importance of a 
strong passphrase comes from the developer.

 “First, passphrase length is not really the right measure, passphrase entropy is. For example, a 
random lowercase letter (a-z) gives you 4.7 bit of entropy, one element of a-z0-9 gives you 5.2 
bits of entropy, an element of a-zA-Z0-9 gives you 5.9 bits and a-zA-Z0-9!@#$%^&:-+ gives 
you 6.2 bits. On the other hand, a random English word only gives you 0.6...1.3 bits of entropy 
per character. Using sentences that make sense gives lower entropy, series of random words 
gives higher entropy. Do not use sentences that can be tied to you or found on your computer. 
This type of attack is done routinely today. To get reasonable security for the next 10 years, it is 
a good idea to overestimate by 

a factor of at least 1000. 

 Then there is the question of how much the attacker is willing to spend. That is up to your own 
security evaluation. For general use, I will assume the attacker is willing to spend up to 1 
million EUR/USD. Then we get the following recommendations: 

 LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random English sentence 
of > 108 characters length. 

 If paranoid, add at least 20 bit. That is roughly four additional characters for random 
passphrases and roughly 32 characters for a random English sentence.“

https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#5._Security_Aspects

Not in the mood to do math?  The lesson to take away is that length, randomness and nonsense 
matter. They will get you more entropy. There are many tricks people use to come up with a 
nonsensical passphrase that they remember.  For example, you could use a play on a favorite 
line from a movie you enjoy combined with a date you would remember like “If My 
Calculations Are Proper, When This Baby Hits 88 Miles Per Hour, You're Going 2 See Some 
Serious Business! January-1-2013?”.  This is a very secure type of passphrase that has plenty of
entropy per the suggested numbers by the developer of cryptsetup. 

For further discussion of strong passphrases, go to 

https://www.grc.com/haystack.htm

.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

Once you have decided upon a strong passphrase, type it into the “encryption passphrase” field 
and press “enter.”  Remember, if you forget this passphrase, you have lost everything on 
your disk! Make sure you remember it! It cannot be recovered!

28. On the next screen, type your passphrase again to confirm it and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

29. On the next screen, choose “Configure the Logical Volume Manager” and press “enter.”

30. On the next screen, choose “yes” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

31. On the next screen, choose “create volume group” and press “enter.”

32. At the next screen, you will be asked to choose a “volume group name.” Type “debian-vg” and 

press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

33. On the next screen, you will be asked to choose devices for the new volume group.  You want to

choose your encrypted partition.  It will appear as “/dev/mapper/PartitionDeviceName_crypt”.  
In the example below, it is “/dev/mapper/sda5_crypt.”  Select the box next to that entry and 
press the space-bar to enable it.  When you enable it, an “*” will appear in the box.  Then press 
“enter” to continue.

34. On 

the 
next 

screen, select “create logical volume” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

35. On the next screen, press “enter” to select “debian-vg” and continue.

36. At the next screen, you will be prompted to create a logical volume name. Type “root” and press

“enter.”

37. At the next screen, you will be asked to enter the logical volume size.  If you are installing this

on a computer with less than 2 gigabytes of RAM, you will need to create an appropriately
sized swap partition or the system will not work! 
If you need a swap partition, a roughly 2 
gigabyte partition will be more than safe (but, you may choose a smaller swap size depending 
on how much RAM is in your computer). Subtract 2 gigabytes from the default logical volume 
size and enter that number for your logical volume size if you need a swap partition. In the 
example below, the number would be changed from “63963” to “61963.” After you have 
entered the new size, press enter to continue. 

If you do not need a swap partition, accept the default entry. Press “enter” and continue to step 
42.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

38.  You only need to do this step if you need a swap partition. If you do not need a swap 

partition, skip to step 42. Select “create logical volume” and press “enter.”

39. You only need to do this step if you need a swap partition. If you do not need a swap 

partition, skip to step 42. On the next screen, press “enter” to select “debian-vg” and continue.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

40. You only need to do this step if you need a swap partition. If you do not need a swap 

partition, skip to step 42. At the next screen, you will be prompted to create a logical volume 
name. Type “swap1” and press “enter.”

41. You only need to do this step if you need a swap partition. If you do not need a swap 

partition, skip to step 42. Next, accept the default size and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

42. On the next screen, select “finish” and press “enter.”

43. On the next screen, you will see a new entry for “LVM VG debian-vg, LV root.”  Choose the 

entry directly beneath it and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

44. On the next screen, select “Use as: do not use” and press “enter.”

45. On the next screen, select “Ext4 journaling file system” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

46. On the next screen, select “Mount point: none” and press “enter.”

47. At the next screen, select “/ - the root file system” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

48. At the next screen, select “done setting up the partition” and press “enter.”

49. You only need to do this step if you created a logical volume for a swap partition. If you 

did not create a logical volume for a swap partition, skip to step 53. If you created a logical 
volume for your swap space, you will also see a new entry entitled “LVM VG debian-vg, LV 
swap1.” Choose the entry directly beneath it and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

50. You only need to do this step if you created a logical volume for a swap partition. If you 

did not create a logical volume for a swap partition, skip to step 53. On the next screen, 
select “Use as: do not use” and press “enter.”

51. You only need to do this step if you created a logical volume for a swap partition. If you 

did not create a logical volume for a swap partition, skip to step 53. On the next screen, 
select “Swap area” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

52. You only need to do this step if you created a logical volume for a swap partition. If you 

did not create a logical volume for a swap partition, skip to step 53. At the next screen, 
select “done setting up the partition” and press “enter.”
 

53. On the next screen, select “finish partitioning and write changes to disk” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

54. If you decided you did not need a swap partition, the next screen will inform you that you 

haven't selected a partition for swap space and ask if you want to return to the partitioning 
menu.  Select “no” and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

55. The next screen will ask if you want to write the changes to disk.  Select “yes” and press 

“enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

56. In the next screen, you will see a progress bar indicating that it is “installing the base system.” 

This could take awhile. When it finishes, it will prompt you to choose a “Debian archive mirror 
country.” A selection will likely be chosen by default based on the location you selected earlier. 
Select your region and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

57. The next screen will ask you to choose a “Debian archive mirror” server.  Again, you can just 

choose what the system selected by default by pressing “enter.”

58. The next screen will ask you if you need to use a proxy to access the Internet. If you don't know

the answer to that one, you don't need to use a proxy to access the Internet. Press “enter” to 
continue.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

59. The installer will next go trough the process of “configuring apt” and installing various 

software.  At the next prompt, you will be asked if you want to “participate in the package usage
survey.”  Select “no” and press “enter.”

60. The installer will again perform some tasks until it prompts you to “choose software to install.” 

You only need to install the “Debian Desktop Environment” and “Standard System Utilities.” 
Unselect the other chosen items by moving the arrow key until they are highlighted and 
pressing the space bar.  When the “*” disappears, the item is unselected. When your screen 
looks like the screen shot below, press “enter” to continue.

NOTE: If you will need to print documents from the Debian Operating System you are 
installing, you can leave the “print server” selected.  However, if you will not be printing 
documents, there is no need to enable it.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

61. The installer will now begin retrieving files and will then install them. This will take a long 

time. Eventually, the process of installing the GRUB boot loader will begin.  If GRUB detects 
other operating systems, you may be presented with a screen asking if you want to “install the 
GRUB boot loader to the master boot record.”  Choose “no” and press the “enter” key. If you do
not see this screen, continue to the next step.

62. Next, you will be asked if you want to “Install the GRUB boot loader on a hard disk.” In step 2 

of this chapter, you were instructed to make a note of the device name that was the USB flash 
drive where you were installing Debian.  The example used in this tutorial was “sdc.”  Scroll 
down to the name of the device where you installed Debian and press “enter.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

63. Now the installer will go through the process of finishing the installation. You may reach a 

screen that asks if ”the system clock is set to UTC.” Select “no” and press “enter.” If you don't 
see this screen, skip to the next step.

64. You will eventually be informed that the installation is complete. Remove the Debian Install 

Disk and press “enter.”

65. The installer will eventually reboot your computer.  As your computer restarts, you need to get 

into a boot menu again in the same manner the you did in step 1 of chapter 1D.  When you 
activate the boot menu, choose your USB flash drive on which you installed Debian. 
Eventually, you will be prompted to choose a boot selection.  It will default to Debian and, thus,
you can either press “enter” or wait for the timer to run out.  The example screen below may not
look exactly the same as your's.  But, it is essentially the same thing.
 
NOTE: If the installation process took long enough to make you run out of time, you can power
off your computer at this point. You can then continue from this step at a later time.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

TROUBLESHOOTING NOTE: If you do not get to the GRUB menu pictured above after 

trying to boot from your USB disk and are presented with a black screen or flashing cursor, 

please refer to Appendix A of this guid

 

 e.

  You have most likely encountered a fairly common bug 

involving GRUB and Debian.  The fix is fairly simple. 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

66. The next screen will prompt you to “enter passphrase.” This is the encryption passphrase you 

created in step 27 of this chapter. You will not see any symbols on your screen when you type 
your password.  While this may seem odd, it is for security reasons. Someone watching your 
screen won't be able to determine the length of your passphrase. Type your passphrase and press
“enter.”

67. Debian will now go through its boot process. Eventually you will reach the login window. 

When you reach the login window, press “enter” or click on “user.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

68. On the next screen, you will be prompted for your password. Before typing your password, 

click on the gear icon next to the “Sign In” button and select “GNOME Classic.” Then, type the
password you created for “user” in step 13 of chapter 1D and press “enter.”  Debian will use 
“GNOME Classic” for every other login until you choose something different.  

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

69. When you reach the Debian desktop, click on “Applications” in the upper left corner, then 

choose “Utilities” and scroll down to “Terminal.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

70. A terminal window will open.  At the prompt, type “sudo -i to obtain root privileges. When 

you execute commands with “sudo” as root, they are run with root/administrative privileges.  
You will be prompted for your password. This is the same password you chose for “user” in 
step 13 of chapter 1D. Type your password and press “enter.”

NOTE: Whenever you use this command, you will have full root/administrative access until 
you “exit” the session.
 Thus, be extra cautious in your session whenever you decide to use 
this command. The changes you make can be damaging and permanent if you do 
something wrong.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

71. You will now be at a shell prompt as superuser (aka 'root') in a terminal program. Now you need

to create your key file to unlock your hard drive in the future. Type the following line into the 
terminal:

dd if=/dev/urandom of=/keyfile bs=512 count=16

This will create an 8 kilobyte key file of psuedo-random data.  When the process for generating 
the key file finishes, a cursor will appear next to a new prompt. 

NOTE: If you wish to use “copy and paste” throughout the guide for any terminal commands in
the Debian Host OS, press “CTRL-SHIFT-V” to paste what you copied from this guide into a 
terminal session.

72. When your key file is created, now you can edit your /etc/crypttab file.  This is a file that tells 

Debian how to handle encrypted drives on boot. Type “nano /etc/crypttab” in your terminal 
window.

 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

73. Now you need to change the existing line in /etc/crypttab to handle your future encrypted key 

file. When you open /etc/crypttab, you will see something similar to the screen shot below:

Make note of the section called “sda5_crypt” in the above example. “sda5” is the device name 
for the encrypted hard drive. It may be something different for your computer (for example, 
“sda6”). You will need this information steps in 73 and 84

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

Move the cursor to the far right with your arrow keys and then erase “none luks” with the 
backspace key. Then add:
 
/boot/keyfile.gpg

luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg

Press the “Control” and “X” key at the same time. When prompted to “save modified buffer,” 
type “y” and press the enter key. 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

Press “enter” when prompted with “File Name to Write: /etc/crypttab”.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

74. Now you need to add your key file to your LUKS keyring. You will need the device name for 

your encrypted hard drive that I told you to make note of in step 72.  In my case, it is “sda5.” 
Type the following in your terminal window and press “enter”:

cryptsetup luksAddKey /dev/YourDeviceName /keyfile

When prompted to “Enter any passphrase,” type the passphrase you created for your encrypted 
hard drive in step 27 of this chapter and press “enter.” If the process was a success, you will 
return to the command prompt.

75. Now you need to encrypt your key file with the “gpg” program.  Type the following line at your

command prompt and press “enter”:

gpg -c --cipher-algo AES256 /keyfile

When prompted to “Enter passphrase,” either use the same passphrase you chose in step 27 of 
this chapter or create something new that is just as long and random. Retype your passphrase to 
confirm it when prompted. This will now be the passphrase you need to enter when you 
boot up Debian in the future.

If all went successfully, you will be returned to a command prompt with no error message.

76. Next, type “mv /keyfile.gpg /boot/keyfile.gpg”and press “enter.”  This will move a copy of 

your encrypted key file to your USB Boot Key if you ever need it in the future. 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

77. Now you need to update your boot process to actually use the encrypted key file. Type “update-

initramfs -u” and press “enter.”  If all goes well, you will be returned to a command prompt 
with no error messages and your screen will look similar to the shot below. Do not worry about 
the “Warning: GnuPG key /boot/keyfile.gpg is copied to initramfs” message. That is supposed 
to happen.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

78. Now it is time to restart your computer. Click on the area in the top right corner of your desktop

with the network, speaker, battery and downward arrow icon and click on the power button 
shown in the image below.  

In the window that appears, click on “Restart.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

79. As your computer restarts, you need to get into a boot menu again in the same manner the you 

did in step 1 of chapter 1D.  When you activate the boot menu, choose your USB flash drive on 
which you installed Debian.  Eventually, you will be prompted to choose a boot selection.  It 
will default to Debian and, thus, you can either press “enter” or wait for the timer to run out.  
 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

80. Eventually you will be prompted to enter your passphrase.  Enter the passphrase you chose in 

step 74 of this chapter and press “enter.”

81. Debian will now go through its boot process. Eventually you will reach the login window. 

When you reach the login window, press “enter” or click on “user.”

82. On the next screen, you will be prompted for your password. Type the password you created for

“user” in step 13 of chapter 1D and press “enter” or click on “Sign in.” 

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

83. When you reach the Debian desktop, click on “Applications” in the upper left corner, then 

choose “Utilities” and scroll down to “Terminal.”

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

84. A terminal window will open.  At the prompt, type “sudo -i to obtain root privileges. When 

you execute commands with “sudo” as root, they are run with root/administrative privileges.  
You will be prompted for your password. This is the same password you chose for “user” in 
step 13 of chapter 1D. Type your password and press “enter.”

NOTE: Whenever you use this command, you will have full root/administrative access until 
you “exit” the session.
 Thus, be extra cautious in your session whenever you decide to use 
this command. The changes you make can be damaging and permanent if you do 
something wrong.

Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key
background image

85. Next, you need to remove the initial passphrase you created for your encrypted hard drive 

partition in step 27 of this chapter. The LUKS encryption system uses what is called a keyring.  
At this point, you have two keys in your keyring: one containing the passphrase you chose 
when installing Debian in step 27 of this chapter and one containing the key file you created 
and added to the keyring in steps 67-73 of this chapter.  

Removing the passphrase you created in step 27 will make it so that your key file is the only 
means to unlock your encrypted hard drive.  This provides strong security since you will never 
know the contents of the key file.  As a human, it's unlikely that you could remember 4096 
bytes of random characters.  Thus, if you lose or destroy your USB flash drive boot key, the 
data on your hard drive is irrecoverable. You will need the device name for your encrypted 
hard drive that I told you to make note of in step 72
.  In my case, it is “sda5.” Type the 
following and press “enter”:

cryptsetup luksKillSlot /dev/YourDeviceName 0 --key-file /keyfile

If the process is successful, you will be returned to a command prompt with no error message.

86. Now it is time to securely remove your unencrypted key file from your hard drive.  This further 

minimizes the risk of a potential attacker ever discovering it. If you ever need access to your 
unencrypted key file in the future, remember that you have an encrypted version of it stored on 
your boot key as “keyfile.gpg.” Type “shred -n 30 -uvz /keyfile” and press “enter.” When the 
process is over, type “exit” and press the “enter” key, or click on the “x” in the upper right 
corner to c lose the window.

Congratulations! You have finished up the lengthy process of installing Debian onto an 
encrypted hard drive with a secure USB boot key.
 

Continue on to the next chapter for the 

final steps of installing Debian and Whonix.