How to Set Up Debian 12 Bookworm with Encrypted Disk Encryption

Learn how to set up Debian 12 Bookworm with encrypted disk encryption.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  3 minute read  

Introduction

Securing your data is crucial, especially if you use your system for sensitive tasks. Encrypting your disk ensures that your data remains inaccessible to unauthorized users, even if they gain physical access to your device. Debian 12 Bookworm provides built-in support for full disk encryption during installation, using LUKS (Linux Unified Key Setup). This guide walks you through setting up Debian 12 with full disk encryption from scratch.

Prerequisites

Before proceeding, ensure you have:

  • A bootable USB with Debian 12 Bookworm ISO.
  • A backup of all important data (if installing on an existing system).
  • A stable internet connection (optional but recommended for package updates).

Step 1: Boot from Debian 12 Installation Media

  1. Insert your Debian 12 bootable USB and restart your computer.
  2. Enter the BIOS/UEFI settings and set the USB drive as the primary boot device.
  3. Save the changes and boot into the Debian installer.
  4. Choose either the graphical or text-based installer.

Step 2: Choose Installation Type

  1. Select your preferred language, location, and keyboard layout.
  2. Configure the network settings as prompted.
  3. Set up a hostname and domain name for your system.
  4. Create a root password and set up a regular user account.

Step 3: Partition the Disk with Encryption

This is the critical step where we configure full disk encryption.

1. Choose Manual Partitioning

When the installer reaches the disk partitioning stage:

  • Select “Manual Partitioning” to gain full control over disk setup.

2. Create Partitions

You’ll need to create the following partitions:

Boot Partition

Since the bootloader cannot be encrypted, we need an unencrypted /boot partition:

  • Select the free space and create a new primary partition (1GB recommended).
  • Set the mount point as /boot.
  • Choose ext4 as the filesystem.
  • Set the partition as “Primary.”

Encrypted Partition

  1. Select the remaining free space and create a new partition.
  2. Choose “Use as” → “physical volume for encryption.”
  3. Select “Encrypt the partition using LUKS”.
  4. Enter a strong encryption passphrase.
  5. After encryption setup, select “Use as: physical volume for LVM”.

3. Configure LVM Inside the Encrypted Partition

  1. Select the encrypted volume and choose “Create Volume Group” (name it, e.g., vg_debian).
  2. Create logical volumes:
    • Root (/) – 20-50GB (ext4).
    • Swap – 2x your RAM size if hibernation is needed, otherwise equal to RAM size.
    • Home (/home) – Remaining space (ext4).

Step 4: Finalizing the Installation

  1. Review your partitions and confirm the changes.
  2. Install the base system and wait for the process to complete.
  3. Choose GRUB as the bootloader and install it to the primary disk (e.g., /dev/sda).
  4. Finish the installation and reboot.

Step 5: Unlock the Encrypted Disk on Boot

Upon reboot, you will be prompted to enter your encryption passphrase. After successful authentication, the system will boot normally.

Step 6: Post-Installation Steps

1. Update Your System

After logging in, update your system:

sudo apt update && sudo apt upgrade -y

2. Install Additional Security Packages

Consider installing security tools like:

sudo apt install fail2ban ufw

3. Enable Automatic Security Updates

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

4. Enable the Firewall

sudo ufw enable
sudo ufw allow ssh

Conclusion

Setting up Debian 12 Bookworm with full disk encryption ensures that your data remains secure from unauthorized access. By following these steps, you’ve created an encrypted system that balances security and usability. Stay vigilant by keeping your system updated and following best security practices.


< How to Install Debian in a Virtual MachineHow to Dual Boot Debian >