How to Enable Disk Encryption During Debian 12 "Bookworm" Installation

Disk encryption is essential for securing sensitive data against unauthorized access. Debian 12 “Bookworm” supports full disk encryption using LUKS (Linux Unified Key Setup) combined with LVM (Logical Volume Manager). This guide explains how to enable disk encryption during the installation process.

Prerequisites

Before starting, ensure you have:

• A compatible system (BIOS or UEFI supported)
• A bootable Debian 12 “Bookworm” installation media
• A backup of any important data (the process will erase all data on the disk)

Step 1: Boot into the Debian Installer

1. Insert the Debian installation media (USB/DVD) and boot your system from it.
2. From the boot menu, select “Advanced Options” → “Expert Install” (this provides more control over partitioning).
3. Choose your preferred language, location, and keyboard layout.

Step 2: Manual Partitioning

1. Select “Manual” partitioning when prompted.

2. Choose the target disk (e.g., /dev/sda) and create a new partition table (GPT recommended for UEFI systems).

3. Create the following partitions:

   • EFI System Partition (ESP)

     • Size: 500 MB
     • Type: EFI System Partition
     • Mount point: /boot/efi

   • Boot Partition

     • Size: 500 MB
     • Type: Ext4 filesystem
     • Mount point: /boot

   • Encrypted Volume (LUKS encrypted partition for LVM)

     • Size: Remaining disk space
     • Type: Physical volume for encryption

Step 3: Configure LUKS Encryption

1. Select the newly created encrypted volume.
2. Choose “Configure encrypted volumes” → “Create encrypted volumes”.
3. Select the partition designated for encryption.
4. Choose encryption settings:
   • Encryption method: LUKS
   • Cipher: AES-XTS-Plain64
   • Key size: 256-bit
   • Passphrase: Enter a strong, memorable passphrase (store it safely).
5. The system will now format and encrypt the partition.

Step 4: Set Up LVM on the Encrypted Volume

1. After encryption is complete, set up LVM (Logical Volume Manager):
   • Create a Volume Group (VG) (e.g., vg_debian).
   • Within this VG, create Logical Volumes (LVs):
     • Root (/): Allocate at least 20 GB.
     • Swap: Allocate space equal to your RAM size (or adjust as needed).
     • Home (/home): Allocate the remaining space.

Step 5: Assign Mount Points and Filesystems

1. Assign mount points and filesystems to the created partitions:
   • EFI System Partition: Mount at /boot/efi, format as EFI System Partition.
   • Boot Partition: Mount at /boot, format as Ext4.
   • Root (/) LV: Format as Ext4.
   • Home (/home) LV: Format as Ext4.
   • Swap LV: Use as swap area.

Step 6: Complete Installation

1. Continue with the installation process.
2. Set up user accounts and passwords.
3. When prompted for the bootloader, install GRUB (ensure it is installed on the correct disk, e.g., /dev/sda).
4. The installer will prompt you to enter your encryption passphrase before finalizing installation.

Step 7: First Boot and Unlocking the Encrypted Disk

1. After installation, reboot the system.
2. The boot process will prompt you for your LUKS passphrase.
3. Enter the passphrase to decrypt the disk and boot into Debian.

Post-Installation Considerations

• Automatic Decryption: If you prefer auto-unlocking for certain use cases, consider using TPM or a keyfile (use with caution).
• Backup Encryption Headers: Backup LUKS headers (cryptsetup luksHeaderBackup) to recover encrypted data in case of corruption.
• Security Updates: Keep your system updated to protect against vulnerabilities.

Conclusion

Enabling full disk encryption during Debian 12 installation significantly enhances security by protecting your data from unauthorized access. Following this guide ensures a secure and efficient setup tailored to your needs.