Skip to content

System encryption at rest#

Easy approach#

The easy approach is to ecrypt the whole laptop at install. - Debian installer offers the option. - Encryption smashes pre-existing data. - Cannot encrypt the running root partition.

Encryption per partition.#

Encrypt#

Unlock#

Re-Lock#

Blah, blah

BIOS/EFI Lock#

  • BIOS/EFI lock is a different concept.
  • Unencrypted BIOS/EFI allows destruction via alternative boot media. But if they gain physical access, they most likely can steal the laptop anyway.
  • Encrypting BIOS/EFI + Operating system is uncomfortable and overkill for most cases.
    • And it makes re-use of the hardware very difficult.
  • Encrypting your data prevents access effectively and might be enough.

Troubleshooting#

Grub Limitation (as of 2026): LUKS1 vs. LUKS2#

Note:

  • The Debian installer (as of the current Trixie/Forky era) defaults to LUKS2.
  • The standard GRUB bootloader has limited support for LUKS2 features (specifically the heavy PBKDF2/Argon2id memory requirements).

Problem Scope: Full encrypted setups (including /boot)

The Fix: For GRUB to be able to unlock your /boot partition directly...

  • a) downgrade the header to LUKS1 or
  • b) use specific cryptsetup flags during a manual installation to ensure compatibility.

Broken key used in the passphrase.#

Approach: Add an alternative passphrase

grep luks /etc/crypttab          # Find the dev name

su -                             # Become root

cryptsetup luksAddKey /dev/sda5  # Add an alternative passphrase

It will ask for the current password. Prepare it and copy-paste it.

There are 8 password slots. Useful for root, admin, user.

Nerdy tech background#

Component Name Role
User Tool cryptsetup The user CLI tool to format/open disk partitions.
On-Disk Standard LUKS The format of the encryption header (stores keys/metadata).
Kernel Backend dm-cryptThe Actual engine in the Linux kernel that encrypts data.
Installer Module partman-crypto The module used by the Debian installer.
  1. LUKS Formatting: It uses cryptsetup to initialize a LUKS header on the partition. This header contains the encryption metadata and the "slots" for your passphrases.
  2. Mapping: It "opens" the encrypted partition, creating a virtual device under /dev/mapper/ (usually named something like sda5_crypt).
  3. LVM Layering: Typically, it then places an LVM (Logical Volume Manager) Physical Volume inside that mapped device so it can split the encrypted space into root, swap, and home volumes.

Files aren't actually encrypted with the passphrase; they are encrypted with a Master Key. All passphrases simply "unlock" that Master Key.

The header can be backed up: sudo cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file my_header.bak.