Preseed Debian 9 – UEFI with Encrypted LVM

I had a difficult time finding good, easy to digest info online on how to do preseed a Debian install with Encrypted LVM. There’s a couple of blog posts, the Debian Wiki and some Serverfault/StackOverflow questions that led the way for me to accomplish this. (the helpful links are at the bottom of this post.)

The Goal

Here’s a breakdown of what I was hoping to accomplish by preseeding the Debian install.

Users

I disable the root account which installs sudo and adds the created user to the sudo group. The preseed.cfg is configured to do that as well.

It is set to create a user and assign them a temporary password “insecure“. Then, at first login the password expires and asks for a new password. I feel doing it that way makes it safer for me to put the config online in a git repo. I could always change it before adding it to the ISO.

There is also an option of creating an encrypted hash of the password to put in the config file. If you want to do that you can install whois and use the mkpasswd utility.

[user@host]$ mkpasswd -m sha-512
Password:
$6$MZO17vgxkwcu.$P5HHjMbHoZHVw5P.gJdhH2IFrDG.xME1tOHCNlz8/tVyP8smheehPaW4WRVNLd3qpVwFFX0dGgw5AnJyj.QwM1

If you decide to take that route, make sure to edit the bottom of the preseed.cfg to remove the code that expires the weak password.

Networking

As it sits in the git repo, it uses DHCP to assign the IP and hostname.

I’ll configure it to assign a static IP and hostname during the networking section of the install before adding it to the ISO.

Partitioning

I wanted to be able to re-create a UEFI Debian install that also has Encrypted LVM partitions.

Over the past few months I’ve been experimenting with different partition layouts and here is where I settled (for now):

Unencrypted
  • ~550M/boot/efi
  • ~250M/boot
Encrypted LVM
  • ~15G/
  • ~120G/home
  • ~32GSwap
  • ~4G/tmp
  • ~10G/var
  • Rest of the disk on standby for future use.

Packages

When manually installing Debian on my Gaming Desktop with i3wm, I only select Standard System Utilities and SSH-Server at the software installation prompt.

I needed to add non-free and contrib to the etc/apt/sources.list for installing nvidia-drivers and steam.

Adding the i386 architecture for installing Steam and a few other packages that require it was also a priority.

I figured that getting a jump on installing a desktop environment, utilities and drivers, etc. would be pretty awesome. I configured it to install vim and xorg.

preseed.cfg

While this is still a work in progress, here’s the code that worked on a virtual machine I created in Proxmox to test it with. You can always get my latest version HERE.

Creating the ISO

You can place the preseed.cfg file on a web server of some sort and point the installer at it. I would assume that you would have to configure networking first to do that. Forget that!! This to be as hands-off as possible!

Then I read about just adding it to the ISO and it seemed easy enough to do.

I used the following packages to complete these steps:

  • xorriso
  • isolinux
  • zip
  • unzip

Steps

      1. Download the debian iso
      2. Rename it to debian.iso
      3. Make a directory to hold the extracted iso
        1. mkdir isofiles
      4. Extract ISO to the isofiles directory
        1. xorriso -osirrox on -indev debian.iso -extract / isofiles
      5. Add write permissions to initrd
        1. chmod +w isofiles/install.amd/
      6. Unzip initrd
        1. gunzip isofiles/install.amd/initrd.gz
      7. Add preseed to the initrd
        1. echo preseed.cfg | cpio -H newc -o -A -F isofiles/install.amd/initrd
      8. Re-zip initrd
        1. gzip isofiles/install.amd/initrd
      9. Remove write abilities of initrd
        1. chmod -w -R isofiles/install.amd
      10. Enter isofiles directory
        1. cd isofiles
      11. Generate new md5sum.txt
        1. md5sum `find -follow -type f` > md5sum.txt
      12. Move back a directory
        1. cd ..
      13. Generate new iso:
[user@host]$ xorriso -as mkisofs \
-isohybrid-mbr /usr/lib/ISOLINUX/isohdpfx.bin \
-c isolinux/boot.cat \
-b isolinux/isolinux.bin \
-no-emul-boot \
-boot-load-size 4 \
-boot-info-table \
-eltorito-alt-boot \
-e boot/grub/efi.img \
-no-emul-boot \
-isohybrid-gpt-basdat \
-o preseed-debian.iso \
isofiles/

Script it!

After doing that a couple of times when making changes, it got a little old. I figured why not create a bash script to handle most of it for me? You can check it out at my git repo.

Using the new ISO

Take the generated iso (preseed-debian.iso if you’re using the commands from above) and write it to a USB jump drive or upload it to Proxmox.

Boot the computer/VM from it and at the menu, select Advanced Options > Automated Install.

Wait a few seconds and it should start the installation process!

Final Thoughts

There is still a small amount of human interaction necessary to install, but it sure beats doing the whole thing manually!

We still have to:

  • Tell the installer to use automated install
  • Accept LVM
  • Enter password for encryption
    • Interrupt writing random data if you want
  • Select keyboard layout. (Not sure why because it’s set in the preseed file)my

Now I won’t be so hesitant to do things that may mess up my install since it’s much easier to re-install Debian. All I’ll have to do is run the preseeded iso then pull my dotfiles and stow them. Things can be back up and running in no time!

Links

2 thoughts on “Preseed Debian 9 – UEFI with Encrypted LVM

  1. pexaorj

    Hello,

    Thanks a lot for it 🙂

    I have some troubles with the partitioning, however now everything is working fine, maybe it will help you too.

    #### Contents of the preconfiguration file (for jessie)
    ### Localization
    # Preseeding only locale sets language, country and locale.
    d-i debian-installer/locale string en_US

    # The values can also be preseeded individually for greater flexibility.
    d-i debian-installer/language string en
    d-i debian-installer/country string BR
    d-i debian-installer/locale string en_US.UTF-8
    # Optionally specify additional locales to be generated.
    #d-i localechooser/supported-locales multiselect en_US.UTF-8, nl_NL.UTF-8

    # Keyboard selection.
    d-i keyboard-configuration/xkb-keymap select us
    # d-i keyboard-configuration/toggle select No toggling

    ### Network configuration
    # Disable network configuration entirely. This is useful for cdrom
    # installations on non-networked devices where the network questions,
    # warning and long timeouts are a nuisance.
    #d-i netcfg/enable boolean false

    # netcfg will choose an interface that has link if possible. This makes it
    # skip displaying a list if there is more than one interface.
    #d-i netcfg/choose_interface select auto
    # To pick a particular interface instead:
    d-i netcfg/choose_interface select eno1

    # To set a different link detection timeout (default is 3 seconds).
    # Values are interpreted as seconds.
    #d-i netcfg/link_wait_timeout string 10

    # If you have a slow dhcp server and the installer times out waiting for
    # it, this might be useful.
    #d-i netcfg/dhcp_timeout string 60
    #d-i netcfg/dhcpv6_timeout string 60

    # If you prefer to configure the network manually, uncomment this line and
    # the static network configuration below.
    d-i netcfg/disable_autoconfig boolean true

    # If you want the preconfiguration file to work on systems both with and
    # without a dhcp server, uncomment these lines and the static network
    # configuration below.
    #d-i netcfg/dhcp_failed note
    #d-i netcfg/dhcp_options select Configure network manually

    # Static network configuration.
    #
    # IPv4 example
    d-i netcfg/get_ipaddress string 172.18.2.13
    d-i netcfg/get_netmask string 255.255.255.0
    d-i netcfg/get_gateway string 172.18.2.1
    d-i netcfg/get_nameservers string 8.8.8.8 8.8.4.4
    d-i netcfg/confirm_static boolean true
    #
    # IPv6 example
    #d-i netcfg/get_ipaddress string fc00::2
    #d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
    #d-i netcfg/get_gateway string fc00::1
    #d-i netcfg/get_nameservers string fc00::1
    #d-i netcfg/confirm_static boolean true

    # Any hostname and domain names assigned from dhcp take precedence over
    # values set here. However, setting the values still prevents the questions
    # from being shown, even if values come from dhcp.
    d-i netcfg/get_hostname string master02
    d-i netcfg/get_domain string cluster.local

    # If you want to force a hostname, regardless of what either the DHCP
    # server returns or what the reverse DNS entry for the IP is, uncomment
    # and adjust the following line.
    #d-i netcfg/hostname string somehost

    # Disable that annoying WEP key dialog.
    d-i netcfg/wireless_wep string
    # The wacky dhcp hostname that some ISPs use as a password of sorts.
    #d-i netcfg/dhcp_hostname string radish

    # If non-free firmware is needed for the network or other hardware, you can
    # configure the installer to always try to load it, without prompting. Or
    # change to false to disable asking.
    #d-i hw-detect/load_firmware boolean true

    ### Network console
    # Use the following settings if you wish to make use of the network-console
    # component for remote installation over SSH. This only makes sense if you
    # intend to perform the remainder of the installation manually.
    #d-i anna/choose_modules string network-console
    #d-i network-console/authorized_keys_url string http://10.0.0.1/openssh-key
    #d-i network-console/password password r00tme
    #d-i network-console/password-again password r00tme

    ### Mirror settings
    # If you select ftp, the mirror/country string does not need to be set.
    #d-i mirror/protocol string ftp
    d-i mirror/country string manual
    d-i mirror/http/hostname string http.us.debian.org
    d-i mirror/http/directory string /debian
    d-i mirror/http/proxy string

    # Suite to install.
    #d-i mirror/suite string testing
    # Suite to use for loading installer components (optional).
    #d-i mirror/udeb/suite string testing

    ### Account setup
    # Skip creation of a root account (normal user account will be able to
    # use sudo).
    #d-i passwd/root-login boolean false
    # Alternatively, to skip creation of a normal user account.
    #d-i passwd/make-user boolean false

    # Root password, either in clear text
    d-i passwd/root-password password root
    d-i passwd/root-password-again password root
    # or encrypted using an MD5 hash.
    #d-i passwd/root-password-crypted password [MD5 hash]

    # To create a normal user account.
    d-i passwd/user-fullname string fpereira
    d-i passwd/username string fpereira
    # Normal user's password, either in clear text
    d-i passwd/user-password password pass
    d-i passwd/user-password-again password pass
    # or encrypted using an MD5 hash.
    #d-i passwd/user-password-crypted password [MD5 hash]
    # Create the first user with the specified UID instead of the default.
    #d-i passwd/user-uid string 1010

    # The user account will be added to some standard initial groups. To
    # override that, use this.
    #d-i passwd/user-default-groups string audio cdrom video

    ### Clock and time zone setup
    # Controls whether or not the hardware clock is set to UTC.
    d-i clock-setup/utc boolean true

    # You may set this to any valid setting for $TZ; see the contents of
    # /usr/share/zoneinfo/ for valid values.
    d-i time/zone string America/Sao_Paulo

    # Controls whether to use NTP to set the clock during the install
    d-i clock-setup/ntp boolean true
    # NTP server to use. The default is almost always fine here.
    d-i clock-setup/ntp-server string 0.debian.pool.ntp.org

    ### Partitioning
    ## Partitioning example
    # If the system has free space you can choose to only partition that space.
    # This is only honoured if partman-auto/method (below) is not set.
    #d-i partman-auto/init_automatically_partition select biggest_free

    # Alternatively, you may specify a disk to partition. If the system has only
    # one disk the installer will default to using that, but otherwise the device
    # name must be given in traditional, non-devfs format (so e.g. /dev/sda
    # and not e.g. /dev/discs/disc0/disc).
    # For example, to use the first SCSI/SATA hard disk:
    d-i partman-auto/disk string /dev/sda
    # In addition, you'll need to specify the method to use.
    # The presently available methods are:
    # - regular: use the usual partition types for your architecture
    # - lvm: use LVM to partition the disk
    # - crypto: use LVM within an encrypted partition
    d-i partman-auto/method string lvm

    # If one of the disks that are going to be automatically partitioned
    # contains an old LVM configuration, the user will normally receive a
    # warning. This can be preseeded away...
    d-i partman-lvm/device_remove_lvm boolean true
    # The same applies to pre-existing software RAID array:
    d-i partman-md/device_remove_md boolean true
    # And the same goes for the confirmation to write the lvm partitions.
    d-i partman-lvm/confirm boolean true
    d-i partman-lvm/confirm_nooverwrite boolean true

    # You can choose one of the three predefined partitioning recipes:
    # - atomic: all files in one partition
    # - home: separate /home partition
    # - multi: separate /home, /var, and /tmp partitions
    #d-i partman-auto/choose_recipe select multi

    # Or provide a recipe of your own...
    # If you have a way to get a recipe file into the d-i environment, you can
    # just point at it.
    #d-i partman-auto/expert_recipe_file string /hd-media/recipe

    # If not, you can put an entire recipe into the preconfiguration file in one
    # (logical) line. This example creates a small /boot partition, suitable
    # swap, and uses the rest of the space for the root partition:

    # The full recipe format is documented in the file partman-auto-recipe.txt
    # included in the 'debian-installer' package or available from D-I source
    # repository. This also documents how to specify settings such as file
    # system labels, volume group names and which physical devices to include
    # in a volume group.

    # This makes partman automatically partition without confirmation, provided
    # that you told it what to do using one of the methods above.
    ## Partitioning using RAID
    # The method should be set to "raid".
    #d-i partman-auto/method string raid
    # Specify the disks to be partitioned. They will all get the same layout,
    # so this will only work if the disks are the same size.
    #d-i partman-auto/disk string /dev/sda /dev/sdb

    # Next you need to specify the physical partitions that will be used.
    d-i partman-auto/expert_recipe string \
    boot-crypto :: \
    538 538 1075 free \
    $primary \
    $iflabel{ gpt } \
    $reusemethod{ } \
    method{ efi } format{ } \
    . \
    256 512 256 ext2 \
    $primary \
    $defaultignore{ } \
    method{ format } format{ } \
    use_filesystem{ } filesystem{ ext2 } \
    label{ boot } \
    mountpoint{ /boot } \
    . \
    30000 30000 30000 ext4 \
    $lvmok{ } \
    lv_name{ root } \
    in_vg { debian } \
    method{ format } format{ } \
    use_filesystem{ } filesystem{ ext4 } \
    label{ root } \
    mountpoint{ / } \
    . \
    300000 300000 300000 ext4 \
    $lvmok{ } \
    lv_name{ docker } \
    in_vg { debian } \
    method{ format } format{ } \
    use_filesystem{ } filesystem{ ext4 } \
    label{ docker } \
    mountpoint{ /docker } \
    . \
    32000 32000 300% linux-swap \
    $lvmok{ } \
    lv_name{ swap } \
    in_vg { debian } \
    method{ swap } format{ } \
    . \
    300000 300000 300000 ext4 \
    $lvmok{ } \
    lv_name{ var-log } \
    in_vg { debian } \
    method{ format } format{ } \
    use_filesystem{ } filesystem{ ext4 } \
    label{ var-log } \
    mountpoint{ /var/log } \
    . \
    # This makes partman automatically partition without confirmation.
    d-i partman-md/confirm boolean true
    d-i partman-partitioning/confirm_write_new_label boolean true
    d-i partman/choose_partition select finish
    d-i partman/confirm boolean true
    d-i partman/confirm_nooverwrite boolean true

    ## Controlling how partitions are mounted
    # The default is to mount by UUID, but you can also choose "traditional" to
    # use traditional device names, or "label" to try filesystem labels before
    # falling back to UUIDs.
    #d-i partman/mount_style select uuid

    ### Base system installation
    # Configure APT to not install recommended packages by default. Use of this
    # option can result in an incomplete system and should only be used by very
    # experienced users.
    #d-i base-installer/install-recommends boolean false

    # The kernel image (meta) package to be installed; "none" can be used if no
    # kernel is to be installed.
    #d-i base-installer/kernel/image string linux-image-586

    ### Apt setup
    # You can choose to install non-free and contrib software.
    d-i apt-setup/non-free boolean true
    d-i apt-setup/contrib boolean true
    # Uncomment this if you don't want to use a network mirror.
    #d-i apt-setup/use_mirror boolean false
    # Select which update services to use; define the mirrors to be used.
    # Values shown below are the normal defaults.
    d-i apt-setup/services-select multiselect security, updates
    d-i apt-setup/security_host string security.debian.org

    # Additional repositories, local[0-9] available
    #d-i apt-setup/local0/repository string \
    # http://local.server/debian stable main
    #d-i apt-setup/local0/comment string local server
    # Enable deb-src lines
    #d-i apt-setup/local0/source boolean true
    # URL to the public key of the local repository; you must provide a key or
    # apt will complain about the unauthenticated repository and so the
    # sources.list line will be left commented out
    #d-i apt-setup/local0/key string http://local.server/key

    # By default the installer requires that repositories be authenticated
    # using a known gpg key. This setting can be used to disable that
    # authentication. Warning: Insecure, not recommended.
    #d-i debian-installer/allow_unauthenticated boolean true

    # Uncomment this to add multiarch configuration for i386
    #d-i apt-setup/multiarch string i386

    ### Package selection
    tasksel tasksel/first multiselect standard

    # Individual additional packages to install
    d-i pkgsel/include string openssh-server build-essential
    # Whether to upgrade packages after debootstrap.
    # Allowed values: none, safe-upgrade, full-upgrade
    d-i pkgsel/upgrade select safe-upgrade

    # Some versions of the installer can report back on what software you have
    # installed, and what software you use. The default is not to report back,
    # but sending reports helps the project determine what software is most
    # popular and include it on CDs.
    popularity-contest popularity-contest/participate boolean false

    ### Boot loader installation
    # Grub is the default boot loader (for x86). If you want lilo installed
    # instead, uncomment this:
    #d-i grub-installer/skip boolean true
    # To also skip installing lilo, and install no bootloader, uncomment this
    # too:
    #d-i lilo-installer/skip boolean true

    # This is fairly safe to set, it makes grub install automatically to the MBR
    # if no other operating system is detected on the machine.
    d-i grub-installer/only_debian boolean true

    # This one makes grub-installer install to the MBR if it also finds some other
    # OS, which is less safe as it might not be able to boot that other OS.
    d-i grub-installer/with_other_os boolean true

    # Due notably to potential USB sticks, the location of the MBR can not be
    # determined safely in general, so this needs to be specified:
    #d-i grub-installer/bootdev string /dev/sda
    # To install to the first device (assuming it is not a USB stick):
    #d-i grub-installer/bootdev string default

    # Alternatively, if you want to install to a location other than the mbr,
    # uncomment and edit these lines:
    #d-i grub-installer/only_debian boolean false
    #d-i grub-installer/with_other_os boolean false
    #d-i grub-installer/bootdev string (hd0,1)
    # To install grub to multiple disks:
    #d-i grub-installer/bootdev string (hd0,1) (hd1,1) (hd2,1)

    # Optional password for grub, either in clear text
    #d-i grub-installer/password password r00tme
    #d-i grub-installer/password-again password r00tme
    # or encrypted using an MD5 hash, see grub-md5-crypt(8).
    #d-i grub-installer/password-crypted password [MD5 hash]

    # Use the following option to add additional boot parameters for the
    # installed system (if supported by the bootloader installer).
    # Note: options passed to the installer will be added automatically.
    #d-i debian-installer/add-kernel-opts string nousb

    ### Finishing up the installation
    # During installations from serial console, the regular virtual consoles
    # (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
    # line to prevent this.
    #d-i finish-install/keep-consoles boolean true

    # Avoid that last message about the install being complete.
    d-i finish-install/reboot_in_progress note

    # This will prevent the installer from ejecting the CD during the reboot,
    # which is useful in some situations.
    #d-i cdrom-detect/eject boolean false

    # This is how to make the installer shutdown when finished, but not
    # reboot into the installed system.
    #d-i debian-installer/exit/halt boolean true
    # This will power off the machine instead of just halting it.
    #d-i debian-installer/exit/poweroff boolean true

    ### Preseeding other packages
    # Depending on what software you choose to install, or if things go wrong
    # during the installation process, it's possible that other questions may
    # be asked. You can preseed those too, of course. To get a list of every
    # possible question that could be asked during an install, do an
    # installation, and then run these commands:
    # debconf-get-selections --installer > file
    # debconf-get-selections >> file

    #### Advanced options
    ### Running custom commands during the installation
    # d-i preseeding is inherently not secure. Nothing in the installer checks
    # for attempts at buffer overflows or other exploits of the values of a
    # preconfiguration file like this one. Only use preconfiguration files from
    # trusted locations! To drive that home, and because it's generally useful,
    # here's a way to run any shell command you'd like inside the installer,
    # automatically.

    # This first command is run as early as possible, just after
    # preseeding is read.
    #d-i preseed/early_command string anna-install some-udeb
    # This command is run immediately before the partitioner starts. It may be
    # useful to apply dynamic partitioner preseeding that depends on the state
    # of the disks (which may not be visible when preseed/early_command runs).
    #d-i partman/early_command \
    # string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
    # This command is run just before the install finishes, but when there is
    # still a usable /target directory. You can chroot to /target and use it
    # directly, or use the apt-install and in-target commands to easily install
    # packages and run commands in the target system.
    #d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh

    Reply
    1. Chuck Post author

      Hey pexaorj, thanks for the comment!

      I see the differences in our partitioning recipes. Although you seem to have copied the example from Debian Jesse (first line)?

      I’ll fire up a couple VMs and run some tests.

      You’ve reminded me that this guide has been in need of some attention for some time now.

      I’ll do my best to update it soon!

      Thanks again 😀

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.