Differences

This shows you the differences between two versions of the page.

--- debian-with-luks2-on-btrfs-with-grub [2026-02-23 07:57:29] – created hyperreal
+++ debian-with-luks2-on-btrfs-with-grub [2026-03-14 20:20:43] (current) – removed hyperreal
@@ Line 1: / Line 1: @@
-====== Debian with LUKS2 Btrfs and GRUB via Debootstrap ======
-Source: https://gist.github.com/meeas/b574e4bede396783b1898c90afa20a30
-  * Use a Debian Live ISO
-  * Single LUKS2 encrypted partition
-  * Single Btrfs filesystem with ''@'', ''@home'', ''@swap'', and other subvolumes.
-  * Encrypted swapfile in Btrfs subvolume
-  * Optional removal of crypto keys from RAM during laptop suspend
-  * Optional configurations for laptops
-===== Pre-installation setup =====
-Boot into the live ISO, open a terminal, and become root. Install the needed packages.
-<code bash>
-sudo -i
-apt update
-apt install -y debootstrap cryptsetup arch-install-scripts
-</code>
-Create partitions.
-<code bash>
-cfdisk /dev/nvme0n1
-</code>
-  * GPT partition table
-  * 512M ''/dev/nvme0n1p1'' EFI System Partition (EF00)
-  * 100%+ ''/dev/nvme0n1p2'' Linux filesystem
-<code bash>
-mkfs.fat -F 32 -n EFI /dev/nvme0n1p1
-cryptsetup -y -v --type luks2 luksFormat --label Debian /dev/nvme0n1p2
-cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
-mkfs.btrfs /dev/mapper/cryptroot
-</code>
-Make Btrfs subvolume.
-<code bash>
-mount /dev/mapper/cryptroot /mnt
-btrfs subvolume create /mnt/@
-btrfs subvolume create /mnt/@home
-btrfs subvolume create /mnt/@swap
-umount -lR /mnt
-</code>
-Re-mount subvolumes as partitions.
-<code bash>
-mount -t btrfs -o defaults,subvol=@,compress=zstd:1 /dev/mapper/cryptroot /mnt
-mkdir -p /mnt/{boot,home}
-mkdir /mnt/boot/efi
-mount /dev/nvme0n1p1 /mnt/boot/efi
-mount -t btrfs -o defaults,subvol=@home,compress=zstd:1 /dev/mapper/cryptroot /mnt/home
-</code>
-Setup swapfile.
-<code bash>
-mkdir -p /mnt/swap
-mount -t btrfs -o subvol=@swap /dev/mapper/cryptroot /mnt/swap
-touch /mnt/swap/swapfile
-chmod 600 /mnt/swap/swapfile
-chattr +C /mnt/swap/swapfile
-btrfs property set ./swapfile compression none
-dd if=/dev/zero of=/mnt/swap/swapfile bs=1M count=16384
-mkswap /mnt/swap/swapfile
-swapon /mnt/swap/swapfile
-</code>
-===== Base installation =====
-Create a nested subvolume for ''/var/log'' under the ''@'' subvolume. This will be automounted with ''@'' so there is no need to add it to ''/etc/fstab''. Nested subvolumes are not included in snapshots of the parent subvolume. Creating a nested subvolume for ''/var/log'' will ensure the log files remain untouched when we restore the rootfs from a snapshot.
-<code bash>
-mkdir -p /mnt/var
-btrfs subvolume create /mnt/var/log
-debootstrap --arch amd64 <suite> /mnt
-</code>
-Bind the pseudo-filesystems for chroot.
-<code bash>
-mount --rbind /dev /mnt/dev
-mount --rbind /sys /mnt/sys
-mount -t proc proc /mnt/proc
-</code>
-Generate fstab.
-<code bash>
-genfstab -U /mnt >> /mnt/etc/fstab
-</code>
-Chroot into the new system.
-<code bash>
-cp -v /etc/resolv.conf /mnt/etc/
-chroot /mnt
-</code>
-===== Configure the new installation =====
-Set the timezone, locale, keyboard configuration, and console.
-<code bash>
-apt install -y locales
-dpkg-reconfigure tzdata locales keyboard-configuration console-setup
-</code>
-Set the hostname.
-<code bash>
-echo 'hostname' > /etc/hostname
-echo '127.0.1.1 hostname.localdomain hostname' >> /etc/hosts
-</code>
-Configure APT sources on ''/etc/apt/sources.list''.
-<code>
-deb https://deb.debian.org/debian <suite> main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian <suite>-updates main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian <suite>-backports main contrib non-free non-free-firmware
-deb https://deb.debian.org/debian-security <suite>-security main contrib non-free non-free-firmware
-</code>
-Install essential packages.
-<code bash>
-apt update -t <suite>-backports
-apt dist-upgrade -t <suite>-backports
-apt install -t <suite>-backports -y neovim linux-image-amd64 linux-headers-amd64 firmware-linux firmware-linux-nonfree sudo command-not-found systemd-timesyncd systemd-resolved cryptsetup cryptsetup-initramfs efibootmgr btrfs-progs grub-efi
-</code>
-Install desktop environment.
-<code bash>
-apt install task-gnome-desktop task-desktop task-ssh-server
-</code>
-If installing on a laptop:
-<code bash>
-apt install -y task-laptop powertop
-</code>
-Create users and groups.
-<code bash>
-passwd root
-adduser jas
-echo "jas ALL=(ALL) NOPASSWD: ALL" | tee -a /etc/sudoers.d/jas
-chmod 440 /etc/sudoers.d/jas
-usermod -aG systemd-journal jas
-</code>
-===== Setting up the bootloader =====
-Optional package for extra protection of suspended laptops.
-<code bash>
-apt install cryptsetup-suspend
-</code>
-Setup encryption parameters.
-<code bash>
-blkid -s UUID -o value /dev/nvme0n1p2
-</code>
-Edit ''/etc/crypttab''.
-<code bash>
-cryptroot UUID=<uuid> none luks
-</code>
-Setup bootloader.
-<code bash>
-grub-install --target=x86_64-efi --efi-directory=/boot/efi --recheck --bootloader-id="Debian"
-</code>
-Edit ''/etc/default/grub''.
-<code bash>
-GRUB_CMDLINE_LINUX_DEFAULT=""
-GRUB_CMDLINE_LINUX=""
-GRUB_ENABLE_CRYPTODISK=y
-GRUB_TERMINAL=console
-</code>
-Update grub.
-<code bash>
-update-grub
-</code>
-Exit chroot and reboot.
-<code bash>
-exit
-umount -lR /mnt
-reboot
-</code>
-===== Emergency recovery from live ISO =====
-<code bash>
-sudo -i
-cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
-mount -t btrfs -o defaults,subvol=@,compress=zstd:1 /dev/mapper/cryptroot /mnt
-mount /dev/nvme0n1p1 /mnt/boot/efi
-mount -t btrfs -o defaults,subvol=@home,compress=zstd:1 /dev/mapper/cryptroot /mnt/home
-mount -t btrfs -o subvol=@swap /dev/mapper/cryptroot /mnt/swap
-swapon /mnt/swap/swapfile
-mount --rbind /dev /mnt/dev
-mount --rbind /sys /mnt/sys
-mount -t proc proc /mnt/proc
-chroot /mnt
-</code>