Wednesday, April 13, 2022

Moving To A New Machine In Debian Linux With Encryption

 The back story (I promise it will be short):

When Bill told me that he was leaving his native South Florida for Knoxville area, I had two thoughts: Why?  and I'll find a Computer for you.

When asked about them he immediately said that he wanted Linux instead of Windows which truly surprised me.  Linux is about 3% of the home market, Windows is about 88%.  May as well have the best, right?

So I had an i3 machine that runs beautifully on Debian Linux, but at 4GB of memory, it is not suited to have Windows on it.

Also, this machine has to be encrypted since we don't know how bad the crime is up there in his new neighborhood.  If the machine gets stolen no personal information will be found.  The entire computer is encrypted.  Boot sector (GRUB), the operating system, and his own home directory.

Finishing this showed me the need for me to migrate to a similar setup.  I had a faster machine than the one I was using that was idle, and if I could encrypt a machine for a friend, I could encrypt a machine for me.

Standard Internet Warranty Applies:  You do this at your own risk.  While I expect these instructions to be complete, that may be because I wrote them to my own level of expertise and it is possible I skipped over something.  Read them completely and if you do not understand them then find someone to help you.  Nobody at Ramblingmoose takes any responsibility for what you are about to do.  Linux is very user friendly but it is very choosy about who its friends are.

Good luck!


How I did it:

Download Debian Live.  Specifically in this case debian-live-11.2.0-amd64-xfce+nonfree.iso . 

Since that version is obsolete but will be updated by the installer, THIS LINK points to (currently) version 11.3.0.  If you don't like XFCE, you can pick your own DE.

When the download was complete, I plugged in a memory stick of 4GB plus and dd the file as root:
    dd if=debian-live-11.2.0-amd64-xfce+nonfree.iso of=/dev/sdb conv=noerror,sync status=progress

I wanted Live, and I wanted non free.  Debian's goals of "libre" software are all well and good, but to use Wifi means you pretty much have to have proprietary "blobs" in your library.

That version will boot the new machine into a "live" version of the operating system that allowed me to step through the installer in a graphical environment.

Sure character based works, but it confused me as to where I could find the encryption part.

Backup the old machine FIRST:

After that finished, Boot the new machine with that stick and while waiting for that, begin to backup the old machine to an external drive that is sufficient to hold the /home directory as well as a couple specific files that will be saved to the /home directory FIRST.

1) Go into synaptic on the old machine and create a Manifest text file to be imported.
   File, Save Markings As, Click the box at the bottom "Save Full State, and write the file out" .
2) Go into Firefox and any other browsers and save the bookmark links into a json file.
    Bookmarks, Manage Bookmarks, Import and Backup, Backup,  and Create your File.

Copy the entire /home tree from your "old" computer to an external drive. 
Make certain that you have enough room for everything including the two files you just created.

Debian Install Steps:

I actually repeated the install a couple times before I got it right, since there are always wrinkles.  I am writing this as I do a "test install" for the blogs.  Steps will be written as I do them, and I will note the ones that I personally find important. 

From the first Main Menu, Select Debian GNU/Linux Live.
Allow the machine to come to a desktop.
Sign onto a Wifi Network or Connect to Ethernet so the installer will get the latest software.
Double click to launch "Install Debian".
"Welcome to the Calamares Installer for Debian 11 (Bullseye)." screen will show.
Select your language (American English for me).
Click Next.

Select your location (Region: America and Zone: New York).
Select your system language (American English).
Select your number and date format (American English, United States).
     -The prior three can be changed within XFCE's settings app on the Applications Menu.
Click Next.

Keyboard Model can be changed, although I have good luck with the one that gets selected by Debian.
Test the keyboard if you feel that is necessary.
Click Next.

I will select Erase Disc to delete all data from the destination hard drive, you may not have the same priorities - think this one through to fit your personal needs!
I am encrypting the entire disc so I will click "Encrypt System".
That opens up the place to enter in the password for the system and change the graphic to allow you to see what it intends to do on your computer.
Verify the Boot Loader Location is on the intended drive - usually /dev/sda
Click Next.


Enter your name: it will create a tree for this user under /home
Enter your login name: should be the same as the first for a home user.
The Name of the Computer on the network. 
    -Must not be the same as another machine on your network.
Choose your password and enter it twice.
Login Automatically without a password.
    -If you click this box it will allow you to get into your machine with only a "GRUB" password in the boot sector.  I select this entry personally.
Click Next.

It allows you to see what you have told the installer to do.
Review this information and if you are ready to install and perhaps erase your hard drive.
Click Install.

Go make a drink.  It will be enough time while it goes out and creates your new computer.
If you get back and the screen is locked, user and password are:
    User = user
    Password = live

On reboot:
Enter the Password you gave the installer at the "Enter Passphrase" prompt in GRUB.
Hit enter, it will take time to decrypt the boot sector.
The grub menu will come up and the computer will continue to boot.
You will see the Debian logo and "cryptsetup: luks-.... set up successfully" message.

At this point you will be at your new desktop.
Enter your Wifi password or make sure that Ethernet is working.

To Restore:
Once your backup on the old computer is complete, unmount the drive and plug it into the new computer.
Hopefully it is all USB 3.0 because the restore took me about 8 minutes to complete.
Click on Applications and Launch Terminal.
In Terminal enter root by "sudo su" and enter your user's password.
To copy the data back enter "thunar /home &".
Yes you will have to do this via root, and once complete, you will have to change things to make your new system "accept" the old data:
  1) copy the backup data to the /home directory.
  2) NOTE!:  If you encounter any conflicts where thunar finds a duplicate file, "skip all" is the correct response.  If not, you will render your system intact but your data will be locked in odd and subtle ways.
3) when the copy is finished, you will have to reclaim the files permissions to be correct for your end user.
Assuming you are "bill", as root:
A) cd /home
B) chown -R bill *
C) chown -R bill .*
D) chgrp -R bill*
E) chgrp -R bill .*

This may be overkill but this way I got ownership of my home tree including everything in my ~/.cache directory and any important .conf files.  I also had a message present itself saying that I can't move something into trash because of permissions, this will avoid that.

At this point you should be "non destructively" on your new machine, with your old machine still intact.  The new machine should be very close to what you left.  Mine was.


No comments:

Post a Comment