Learn about our website mirrors here.
Setup Cop-Proof Encrypted Debian
by Mizu - March 28, 2020 at 07:39 AM
#1
Star 
I never shared a tutorial like this one because it took so much time to take screenshots. So the aim of this topic is to setup a fully efficient Debian with Gnome Desktop Environment and in encrypted partitions to be cop-proof.

If you follow this tutorial, and keep in mind that you must shutdown your computer if you are not in the same place, you can be absolutely calm. I recommend keeping quiet while in police custody and waiting for the legal limit of detention.

In some countries, like the USA, it is possible that the cops replace your Grub with a compromised version so when exit, I advise you to format without discussing your machine. Or verify the sum of the files in /boot partition if you really want to access to your data.

I strongly recommend a full erasing of partitions before.

I have used Debian 9 Gnome in this tutorial. Now you can use, in the same way, Debian 10 Gnome : https://cdimage.debian.org/debian-cd/cur...-gnome.iso

If you use an other environment, it's not a problem but all tutorials in future will be done on Debian with Gnome. You can use netinstall with Debian 11, but will not use it here because it's a tutorial for newbies.

To create bootable USB of Debian Linux on Windows, Linux or Mac, i recommend : https://www.balena.io/etcher/
You must use at least a 4Go USB Drive to create a bootable device of Debian. The process is simple, you just need to select the ISO of Debian and verify that it's the correct USB, after just need to launch the process.

To boot on the USB Drive, try to go into the BIOS and verify that Legacy Mode is activated. I strongly recommend to NOT use EFI mode and to avoid as much as possible dualboot ! You can find many tutorials on Internet to initialize the sequence to start on USB Drive.

Now we can really start the installation. I will do it in VirtualBox because i have already Debian on all my computers ;)

Because of the forums limit concerning images, i need to divide the tutorial into parts.

PART I:

1) Boot on the USB Drive and select Graphical Debian Installer :

[Image: 001.png]

2) Choose your language and country :

[Image: 002.png]

3) Choose the correct keyboard :

[Image: 003.png]

4) You can change it but i will make a tutorial to make it randomize for better security :

[Image: 004.png]

5) Leave Domain name blank :

[Image: 005.png]

6) Setup a strong password :

[Image: 006.png]

7) Put your username here or anything else :

[Image: 007.png]

8) Leave like that ( note : use only lower letters ! ) :

[Image: 008.png]

PART II:

9) Setup a strong password :

[Image: 009.png]

10) If you are absolute beginner, you can select Guided - use entire disk and set up encrypted LVM ( if you select this mode, directly go to point 41 ) but i recommend Manual :

[Image: 010.png]

11) You must have something like that. If not, you have not shred disks and you need to do it ( return at the preface ) or you just need to click on the drive and accept to "format" it. You must after select the free space :

[Image: 011.png]

12) Select Create a new partition :

[Image: 012.png]

13) 1GB is really enough :

[Image: 013.png]

14) Select Primary :

[Image: 014.png]

15) Select Beginning :

[Image: 015.png]

16) Choose Ext2 file system and the mount point /boot :

[Image: 016.png]

PART III:

17) Once boot partition created, you click on the other line :

[Image: 017.png]

18) Select Create a new partition :

[Image: 018.png]

19) Keep like default ie all the rest :

[Image: 019.png]

20) Select Logical :

[Image: 020.png]

21) Select do not use and select Done setting up the partition :

[Image: 021.png]

22) Click on Configure encrypted volumes :

[Image: 022.png]

23) Select yes and submit :

[Image: 023.png]

24) Select Create encrypted volumes :

[Image: 024.png]

PART IV:

25) Select the biggest partition, in general it is /dev/sda5 and there is no partition type in the parentheses :

[Image: 025.png]

26) Just modify 2 things, for IV algorithm, use cbc-essiv:sha256 and for erase data, select no. After you just need to select Done setting up the partition :

[Image: 026.png]

27) Select Finish :

[Image: 027.png]

28) Use a very strong password. If you are worried about security, do not write it anywhere ; it's the most important ! So :

[Image: 028.png]

29) Select Configure the Logical Volume Manager :

[Image: 029.png]

30) Select yes and submit :

[Image: 030.png]

31) Select Create volume group :

[Image: 031.png]

32) Use any name but alphanum ( a-z A-Z 0-9 ) only :

[Image: 032.png]

PART V:

33) Select the line with crypt word and normally with the ext4 also :

[Image: 033.png]

34) Select Create Logical volume. In this part we will create the partitions. To begin, i recommend only to create 2 partitions : Home and Root. For the size, that depends of the size of your hard drive. For example, if you have 250Go in total, i recommend 50Go for Root and 200Go for Home. In Home, you have all your personal datas so it's better to have a large Home partition. Know that with LVM, you can change the size of your partition after so do not worry too much.
I will show the creation for Root, it is the same for Home. Very simple so no need to show all :

[Image: 034.png]

35) Type Root and choose the size of the disk after :

[Image: 035.png]

36) Once you have created both Home and Root, you can select Finish :

[Image: 036.png]

37) Normally, you have something like that. Now we must configure the 2 new partitions. You see a line with LV Home and just after this is the partition for Home ; the same with LV Root and the line after for the partition. So select the line for Home :

[Image: 037.png]

38) Select use as ext4 journaling file system and mount point /home :

[Image: 038.png]

39) Once finished for home partition, do the same for Root partition ( select ext4 journaling file system and mount point / ). Once both finished, you have approximately that :

[Image: 039.png]

40) Select no at this screen : ( No need to use Swap if you have more than 4Go of RAM and if not, Swap is for very old computer for me )

[Image: 040.png]

PART VI:

41) Select yes to validate the partitionning :

[Image: 041.png]

42) Select yes for a mirror :

[Image: 042.png]

43) Choose your country, i recommend to use deb.debian.org ; if you do not see it, choose Switzerland like me :

[Image: 043.png]

44) Leave blank :

[Image: 044.png]

45) Select yes to install Grub :

[Image: 045.png]

46) Normally you have only one line possible after the manual one, so select it. In most cases, select the second line :

[Image: 046.png]

47) Wait for the end of installation :

[Image: 047.png]

48) The computer asks for the password to decrypt disks :

[Image: 048.png]

Enjoy your Encrypted Debian Gnome !

Note: Because of BIOS construction, it's not possible in 99,99% of cases to encrypt the /boot partition so if cops take your computer, the best way for them to catch you is to infect your /boot partition.

I take time to share a such big tutorial so do not leech, like the post !
Reply
#2
You can use Debian defaults and it will generate equally good encryption.
All your steps you made just to make a new name for the VG are not necessary.

Also:

[Image: security.png]
Reply
#3
(March 28, 2020 at 10:30 AM)ambins Wrote: You can use Debian defaults and it will generate equally good encryption.
All your steps you made just to make a new name for the VG are not necessary.

The default encryption is not cbc with sha256 hash also Wink
I gave the example with /home and / only because it's for newbies but i use custom partitions so this method is good for all not just for default configuration. Better to proceed manually when you need to custom a bit, or totally Tongue

(March 28, 2020 at 10:30 AM)ambins Wrote: [Image: security.png]

True maybe if you have problems with governments but not for crime like pedophilia, papers-seliing and more like that ^^

(March 28, 2020 at 10:30 AM)ambins Wrote: You can use Debian defaults and it will generate equally good encryption.
All your steps you made just to make a new name for the VG are not necessary.

The default encryption is not cbc with sha256 hash also Wink
I gave the example with /home and / only because it's for newbies but i use

(March 28, 2020 at 10:30 AM)ambins Wrote: [Image: security.png]

True maybe if you have problems with governments but not for crime like pedophilia, papers-seliing and more like thatn totally no ^^
Reply
#4
That's the basis. I prefere RAID volume personnaly.

Grub(2) is a fuckin' security joke) Syslinux is better.

To escape possible Evil Maid attacks I suggest you to install /boot partition on removable media.
There are still other attack vectors possible, like firmware flashing or hardware attacks.

Otherwise it's a good tutorial.
Reply
#5
(March 29, 2020 at 03:36 PM)zyx Wrote: That's the basis. I prefere RAID volume personnaly.

Grub(2) is a fuckin' security joke) Syslinux is better.

To escape possible Evil Maid attacks I suggest you to install /boot partition on removable media.
There are still other attack vectors possible, like firmware flashing or hardware attacks.

Otherwise it's a good tutorial.

RAID it's for server only, for me.
Grub2 is not so bad but there is some tricks to really increase security like passwords and changing the hash algorithm.

/boot partition in removable media is also easy to corrupt. My actual solution is to use Libreboot, a security oriented fork of Coreboot.
To limit hardware attacks, you can use open hardware like the excellent NXP.

It's just a way to begin, fastly, in the fantastic world of Linux.
Reply
#6
(March 29, 2020 at 08:30 PM)Mizu Wrote:
(March 29, 2020 at 03:36 PM)zyx Wrote: That's the basis. I prefere RAID volume personnaly.



Grub(2) is a fuckin' security joke) Syslinux is better.



To escape possible Evil Maid attacks I suggest you to install /boot partition on removable media.

There are still other attack vectors possible, like firmware flashing or hardware attacks.



Otherwise it's a good tutorial.



RAID it's for server only, for me.

Grub2 is not so bad but there is some tricks to really increase security like passwords and changing the hash algorithm.



/boot partition in removable media is also easy to corrupt. My actual solution is to use Libreboot, a security oriented fork of Coreboot.

To limit hardware attacks, you can use open hardware like the excellent NXP.


This kind of configuration is mainly to protect oneself from thieves.

It is clear that an entity with technical, material and financial resources will be able to bypass solutions like bios, bootloader... The only thing that remains will be the encryption (and even that becomes less and less safe, I think notably of the attacks by channels).

We always end up with the same conclusion, once we have a physical access to the machine, no more security exists.

Security on paper is just a business, security in reality is just an illusion.

(March 29, 2020 at 08:30 PM)Mizu Wrote: It's just a way to begin, fastly, in the fantastic world of Linux.

I've wasted years in this nightmarish world. Good thing UNIX set me straight xD
Reply
#7
zyx Wrote:This kind of configuration is mainly to protect oneself from thieves.



It is clear that an entity with technical, material and financial resources will be able to bypass solutions like bios, bootloader... The only thing that remains will be the encryption (and even that becomes less and less safe, I think notably of the attacks by channels).



We always end up with the same conclusion, once we have a physical access to the machine, no more security exists.

Physical access on a computer on, agree but disagree in a computer off.


zyx Wrote:Security on paper is just a business, security in reality is just an illusion.

Absolutely agree !
Reply
#8
" True maybe if you have problems with governments but not for crime like pedophilia, papers-seliing and more like that ^^"

Kinda revealed yourself there. Shame as it was a nice post. Anyway, if cops are going to beat anyone, pedos are top of that list.
Reply
#9
(March 29, 2020 at 03:36 PM)zyx Wrote: That's the basis. I prefere RAID volume personnaly.

Grub(2) is a fuckin' security joke) Syslinux is better.

To escape possible Evil Maid attacks I suggest you to install /boot partition on removable media.
There are still other attack vectors possible, like firmware flashing or hardware attacks.

Otherwise it's a good tutorial.

boot on removable media good adviceĀ 
let carry with on hand
Reply
#10
Great post, but why not use Tailis if you are worried about being "found"
Reply
#11
(March 31, 2020 at 12:52 AM)EPP Wrote: " True maybe if you have problems with governments but not for crime like pedophilia, papers-seliing and more like that ^^"

Kinda revealed yourself there. Shame as it was a nice post. Anyway, if cops are going to beat anyone, pedos are top of that list.

That's why an encrypted Debian is great.
You can also use Qubes + Whonix but better to know, before, how to use Debian as it's the dom0 in qubes.

(March 31, 2020 at 05:09 PM)li777 Wrote:
(March 29, 2020 at 03:36 PM)zyx Wrote: That's the basis. I prefere RAID volume personnaly.

Grub(2) is a fuckin' security joke) Syslinux is better.

To escape possible Evil Maid attacks I suggest you to install /boot partition on removable media.
There are still other attack vectors possible, like firmware flashing or hardware attacks.

Otherwise it's a good tutorial.

boot on removable media good adviceĀ 
let carry with on hand

For me, it's worse because you increase the problem to 2 supports.
More, you can't encrypt.

(March 31, 2020 at 05:24 PM)VoIP Wrote: Great post, but why not use Tailis if you are worried about being "found"

0 customization.
Not built for daily use.
Really dislike repo.
Reply
#12
Sorry to burst your bubble, but if cops actually need to decrypt your data, they will kindly ask you. If you refuse to assist them, you will be automatically be guilty for all charges against you. Therefore, don't think that encryption will let you f**k with cops, but feel free to use it to improve your privacy Smile
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
Debian? Ubuntu? SwedishViking 14 1,350 May 01, 2020 at 10:55 AM
Last Post: coblax
Add & Pin Kali Repository on Debian Mizu 0 184 February 15, 2020 at 09:42 PM
Last Post: Mizu

 Users browsing this thread: 1 Guest(s)