Sponsored Links

How to install and multi-boot between Windows, and Debian Testing with full disk encryption



Lets say you have a laptop or a netbook which you take with you everywhere, and on which you keep sensitive information. (Lets even say you have a home computer with sensitive information.)

You don’t have to be a secret agent or a crook to have sensitive information. Everyone has sensitive information!

Sensitive information can be anything, like all and any passwords for every online and offline account you subscribe to, be it facebook or google plus/mail/adsense/analytics/etc. , your email passwords, ssh keys, bank accounts. Other types of sensitive information might be that novel you’ve been writing, or company documents that you don’t wish to fall into the wrong hands (i.e. any hands other than yours ;) ).

What if you accidentally left your machine behind? Or if it was stolen?

If like most people, you just use the machine the way you got it – with Windows already installed on it for example – then it’s a trivial thing for the person now in possession of that machine to be able to garner all your sensitive information, and you now have an enormous amount of problems on your hands, other than just having lost a shiny toy.

The best way to mitigate against such an occurrence, is to encrypt your data.

This can be done in a number of ways – if you’re installing Ubuntu, for instance, it offers you the chance to encrypt your home directory. This is nice, but I have recently encountered a problem where the encrypted home directory became corrupted – it was mounted on top of an ext4 filesystem and for some reason Something Bad Happened and some of my encrypted files became corrupt – nothing too important, but it was an annoyance. I googled for a similar occurrence and found some people had similar problems.

Another method, is to contain the entire system, swap, and home partitions within encrypted LVM partitions, and this is what this tutorial is going to cover.

We’ll look at an example machine.

This machine has a 300GB hard drive and only has Windows 7 installed on it. (For this example, I will be using a suitably configured virtual machine, but all the steps are valid for any similarly set up laptop, netbook, and PC).

What I want to eventually end up with in this first part, is to be able to multi boot between Windows, and Debian Testing which has been installed in an encrypted LVM partition.

0) Preamble and Disclaimer

I am NOT responsible for any data loss in the event you follow this tutorial and Something Goes Wrong. There is always the potential that re-sizing your Windows partition might result in Something Going Wrong, followed by Loss Of Data, followed by Hitting Head Against Wall And Realising One Should Have Backed Up One’s Data Before Proceeding.

So my advice is, if you do have stuff on your Windows partition that you’d rather not lose should Something Go Wrong, please make a backup of it – in fact do a full system backup of Windows and burn it to a recovery CD/DVD. Windows 7 has those tools by default. If you wish, I can do a  write-up of how to do precisely that – just ask me before embarking on this mini adventure! ;)

This article assumes the following;

  • You are reasonably competent at following instructions  ;)
  • You have a router on your network which can automatically assign IP addresses to systems connecting to your network
  • Your laptop/netbook/PC has a physical network interface card – the Debian Installer Business Card ISO is a bare minimum installer – it does not contain all the package files you would find on a full CD or DVD release – they get installed from the Debian repositories.
  • You are comfortable enough with manually configuring your network details if necessary – seriously, if you don’t know what DHCP is, or how to manually configure your network card from a text only interface, then reconsider going ahead with this.
  • You have been warned, and I WILL point this Preamble section out to you should you make a post here complaining that your machine doesn’t have a physical network interface and you got as far as configuring the network only to find this out :)
  • This is a fairly technical article, and I will leave out some screenshots on some fairly mundane steps like Pressing Return At A Certain Point, for example, “Detect Network Card” is automatic, and should pass without incident if the Debian Installer detects them.

If like me you’re a steely-eyed Admin from Hell who can handle any disaster come what may, PROCEED!

1) Download and burn the Debian Installer Business card and a Live CD ISO…

  • You can get the Debian Installer business card ISO from here.
  • Decide which Live CD you are going to use for this. I’m using the Linux Mint 11 Live CD from here. Linux Mint 12 is now available and will do the job as well, but I’ve already got the version 11 ISO to hand and will just use that.


Also NOTE:  Connect your laptop/netbook/PC up to a physical network port – the net install requires a network connection, weirdly enough, and you can be certain that your built-in wifi card will not work.

2) Preparing the hard drive

If you’re planning to completely wipe your hard disk and just have Debian on it, then you can skip this section altogether. In fact you can just boot up into the Debian installer and select the “Use whole disk and use encrypted LVM” option and, well, basically skip this whole article ;)

If your machine comes with WIndows 7 already installed, it’s likely that Windows takes up the entire hard drive space.

We need to make room for the Debian installation, so to do that we need to re-size the Windows partition to something smaller, which will give us room to shoe-horn the Debian installation into.

To do that, I’m going to boot the machine up into a linux Live CD, and my choice for this tutorial is the Linux Mint 11 live CD. Feel free to substitute that for your favourite Live CD of choice – preferably one which includes GParted ;)

Linux Mint showing the menu navigation to GPartEd





Boot up into the Live CD and navigate to where Gparted is located, and run it.










Gparted Showing Windows 7 Partitions





There we go. The drive device is called /dev/sda , and in this case there are two partitions – a 100MB system partition and the other occupies the rest of the drive space.

Luckily for me, I haven’t filled up my Windows system with gigs of data and programs, so I have a lot of nice space to play with…







Click on the partition and select Resize/Move





RIGHT-Click on the largest partition and select Resize/Move from the menu.









Select new size





You can select the new size by grabbing the right hand “side” of the partition with the mouse, and dragging it to the left – in my case I’m going to free up half of the 300G for my future Debian installation. Once you have your intended size, click Resize/Move. Gparted will then wait until you hit the Apply All Operations button, which is the one just underneath the “Help” menu. So, go hit that button!

Gparted will then display a “Are you sure you want to apply the pending operations?” message window, with the disclaimer about data loss. If you’re really sure then hit Apply






Let The Re-sizing Commence!





Gparted now re-sizes your windows partition…













And it looks like everything went to plan. Hurrah!








Shiny New Space





Now we have a nice amount of disk space to install Debian.








Next thing to do is to close Gparted, and power down the system. Then it’s time to install Debian…

3) Installing Debian

By now you should have enough space to install Debian, plus a bootable CD created from the Debian-Installer ISO you downloaded earlier.

So with that in mind, insert the CD into the CD reader and power up your target system.

Installer Opening Screen





You’ll be presented with the installer main menu.

Move down the options until you reach “Advanced options“, then hit the Enter key…








Select Expert Install





Select “Expert Install” and hit Enter…

Yes that’s right, we’re rolling up our collective sleeves and diving into Expert Mode. Steely-eyed stares commence… now!

(Do not try the Graphical expert install – at time of writing, once booted up into the graphical installer, my USB keyboard and mouse stopped working – anyway, the grahical installer offers no advantage over the text install – the menus are the same.)

The debian installer will boot the installer kernel…





Choose language





The installer begins by asking you all the basic stuff, like choosing your language…









NOTE : From here on , ENTER will select an option, and TAB key will switch to other menu options like “Go Back” or “Continue” on the screen – you should familiarize yourself with these control methods.









Of course, I’m choosing English ;)














Next up it’ll ask you your location.

In my case I’m going to select “Other” because I live in Japan – of course you choose where you live ;)













Eventually you’ll be asked to pick a Locale setting – I’ll just use the US one…









Generate Locales





Eventually it might even ask to generate additional locales – because I selected Japan as my location. I’ll just TAB to “Continue”…








Okay, I think by now you have the hang of things, so instead of me pasting pictures of each menu item, please proceed with the next steps on your own;

  • Select your Keyboard Layout
  • Detect and Mount CD-ROM  *NOTE: it may ask if you wish to load an additional USB Storage module – just TAB to “Continue” and proceed.

At this point the installer will tell you it has detected the installation CD-ROM for the Testing distribution – press Enter to proceed.

Load Installer Components From CD





Next step is Load Installer Components From CD








Lots of installer components!





These are just additional components – just TAB to “Continue” and hit Enter…







The installer will then load a default collection of additional installer options, then you’ll be presented with;



More and more options!





This lot! So, let’s roll up our sleeves and proceed with…









  • Detect Network Hardware – Select this and the installer will – weirdly enough – detect your network cards.As I stated at the beginning of this tutorial, you should connect your laptop/netbook or PC physically to your router via a network cable and the machine’s network card, as I doubt many wireless interfaces will be operational with this installer. (I’ll try this on my own netbook at some point and update on my findings but for now, physical network connection is the safest method.)


Configure the network





Configure the network – The installer wants to know how you’re going to do this. I’ll choose the DHCP method because it’s quick, easy, and automatic if your internet router is configured to automatically assign IP addresses to any client machines on your network.








Enter Host Name





Your router should by now have assigned an IP address for your machine

At this point, enter a hostname of choice – I’m calling mine “ScaryDeb”

It’ll also ask for a domain name – my router supplies that during the DHCP stage, so that was already filled in for me and I’ll just press Enter to proceed.






Choose mirror



Now we have to choose a mirror site, for downloading the many Debian packages to be installed.

Press Enter, and you’ll be asked to use either http or ftp protocols – I usually always choose http.

Next it’ll ask you to choose your Debian archive mirror country – you should choose the archive closest to you in your country.

After that, you’ll probably get a selection of relatively local mirrors to choose from, so choose one and press Enter.

Next up it’ll ask if you need to use a Proxy server to reach the outside internet. If so, enter the details, if not, leave blank and press Enter.






Choose Version To Install



If all went well above, the installer should now be asking what version of Debian you’d like.

I’m selecting testing – otherwise known as “Wheezy” at time of writing.

Select “stable” if you want a crusty old Debian system that will work and is stable.

testing will give you a reasonably up to date system with Gnome 3 and all the other goodies.

Select “unstable” if you enjoy a life of hell and Something Going Very Wrong Very Frequently – it’s called unstable for a reason :)

No really, trust me, just select testing B)






Set up users and passwords





Now we have to set up users and passwords. Press Enter…








Enable shadow passwords





Choose to enable shadow passwords – they’re more secure.









Allow login as root




You have a choice to make here – either allow login as root or not.

My advice nowadays is to choose ‘No’. Selecting No will automatically configure sudo and the ordinary user you enter next will have permission to use sudo. It really is better to use sudo.

So select No here on my recommendation.






  • Next up the installer will ask for the Full Name of the new user – give it one
  • Followed by a user name – give the new user a username here
  • Next up it’ll ask for the new user’s password. Enter that.
  • Then verify that by re-entering the password.


Next up is setting the clock – this is straightforward and I’ll just post the sequence of events as follows;

Configure the clock


NTP server to use

Select timezone














Configuring your disks/partitions

Detect Disks





This is where the fun begins! Press Enter…








Partition disks





Actually, I lied – this is where the fun really begins. Press Enter…









Select Partitioning Method



Okay so now we have to select our partitioning method.


Do not select any of the Guided methods. If you do then say bye-bye to Windows.

What we want to do, is to end up with a multi boot system; Windows, and Debian contained within encrypted LVM. If life was easy, we’d have an option saying “Guided – use largest continuous free space and set up encrypted LVM”. Unfortunately, life is hard and cruel, and apparently no one at Debian Towers has thought to give us this option yet, so we’ll have to do this manually.

Select Manual






Partition Disks





Okay so at the beginning we reduced the size of the Windows partition, to make way for the Debian installation, and we can see that here on this screen, marked “FREE SPACE”.







We want to set up a fully encrypted system. To do that, we need to create two new partitions;

  • One smallish partition, which will be used to boot the system and will be mounted in the system as /boot
  • The remaining free space to be used as an encrypted partition – the LVM partitions will be contained within this big encrypted partition and subsequently will contain the root, swap, and home filesystems.

Creating the boot partition


Select the free space





Move the selector down to the FREE SPACE and press Enter…








Create a new partition





Select “Create a new partition” and press Enter…








New partition size





Enter the size of the new partition – this is a boot partition which will contain the kernel and initrd. My recommendadtion is about 200MB in size, but I like to add some extra, “just in case”, and I choose to enter “300 MB”. DO so, and press Enter…








Primary or logical





I’ll choose Logical for the partition type…









Beginning or end





Choose “Beginning” and press Enter…..









Select use as





Select “Use as” and press Enter…








Select ext3





For  boot partitions, I like to use ext3 as it’s more mature than ext4. There’s nothing wrong with ext4, but really, I prefer ext3 (or even ext2). Up to you.

Press Enter after selecting…







Mount point





Select “Mount point:” and press Enter…









Select boot





Select “/boot – static files of the boot loader“, then press Enter…










Label the partition





I’m pedantic and like to label the partition – so choose “Label” and call it “boot” then press Return…








Done setting up the partition





Finally, select “Done setting up the partition“, and press Enter…









Creating the encrypted partition


So now we have to create the encrypted partition which will contain the system, swap, and home LVM partitions within it…


Creating the encrypted partition




This is much the same procedure as creating the boot partition above – notice the /boot partition is now showing in the screenshot.

Select the “FREE SPACE” and press Enter…








Create a new partition





As before, select “Create a new partition” and press Enter…










Press Enter here for max disk space





Just press Enter here, which will automatically use the remaining free disk space…








Select logical





Again, select “Logical” and press Enter…









Select use as




Select Use As and press Enter…









Select “physical volume for encryption”





Select “physical volume for encryption” and press Enter.









Encrypted partition settings



The defaults here are fine and secure.

Notice though the setting “Erase Data:” is set to “yes” – this option will wipe that partition in a secure manner by filling it with random data. This makes that partition more secure, but be warned that it will take AGES to wipe, depending on how large the partition is. It could take days!

For now I shall toggle this setting to “no” – the decision is up to you :)


Finally, select :”Done setting up the partition” and press Enter…








Select Configure encrypted volumes



Notice now we have the Logical partition for boot, and the larger logical partition for “crypto”.


Now select the menu item “Configure encrypted volumes“…








Write changes before configuring encrypted volumes




The installer will explain the changes need to be written to disk before configuring the encrypted volumes.

Select Yes then press Enter…









Select Create encrypted volumes





Select Create encrypted volumes” then press Enter…









Mark the crypto device




Move down to the partition “device” you marked earlier as being for an encrypted volume.

It’s the one which will say “crypto” after the size.

Press the spacebar – an asterisk will appear, indicating you’ve marked that device.

Press TAB to highlight Continue, then press Enter…







Select Finish





Select “Finish” then press Enter…









Enter your passphrase – choose a good one!


How exciting! You now need to choose a passphrase which will be used to access the encrypted drive.

  • Choose a good pass phrase!

No, really! Remember your pass phrase! If you forget it, you’ll never be able to boot up into Debian or access your encrypted data!

So, enter your password of choice that is both Good and is One You Shall Not Forget.

Finally, Thou Shalt Not Ever Forget Thy Pass Phrase.

Once you’ve done that, press Enter. It will ask you to verify the pass phrase once more – enter it again then press Enter…

If you chose to wipe the free space earlier, I’ll see you in a few hours or days time, when you can continue below B)






Encrypted space now available



At this point, we now have an encrypted volume. The installer has created the encrypted volume and made it available for use.

Think of it as a blank partition now. I have highlighted the area in this screenshot – looks like the installer helpfully pre-selected to format it as an ext4 file system, too.

We don’t want that, but that’s OK to leave for the moment.

We’re now going to configure LVM inside this encrypted volume






Configure LVM inside the encrypted volume…


Whilst you’re on the screen above, highlight the volume marked #1 under where it says “Encrypted volume (sda6_crypt)…” , then press Enter…


Select Use As





Select “Use as” then press Enter…









Select physical volume for LVM





Select “physical volume for LVM” and press Enter…

Then select “Done setting up the partition“.








Select Configure the Logical Volume Manager





Now select “Configure the Logical Volume Manager” then press Enter…










Select Create volume group



You’ll see a summary of LVM configuration, showing there’s a free Physical Volume which is the one we just marked above.

Select Create volume group then press Enter…


Then enter the name of the new volume group. I called mine “volumes”. Then press enter.









Select device for the new volume group




Mark the device for the LVM volume group by pressing the spacebar. It’s the one marked “/dev/mapper/sda6_crypt” in my example.

There should be an asterisk next to it now, like my screen shot.

Press TAB to select Continue then press Enter…










Create Logical Volume





Now we’re ready to create the Logical volumes which will contain the root,swap,and home directories.

Select Create logical volume then Enter…










Select volume group





Now select the volume group into which we’re creating the logical volume – we only have the one volume group anyway…










Enter Logical Volume Name





Enter the name of the new LV. This is going to be the root directory so call it “root”

Then press TAB to Continue then Enter…








Enter Size of root LV





Enter the size of the root LV. I’m giving mine a healthy 50 GB for example’s sake.

Then Enter…








Create Logical Volume




This brings us back to the “Summary of current LVM configuration” page.

Select Create logical volume again, and create a LV for swap – I’ve chosen “1024M” for mine.

Then finally create a LV for home using the remaining free space.

Once you’ve completed that, select “Display configuration details” then Enter…









You should have something resembling this for LVM summary…




You should now have something resembling the screenshot – that is, 3 LV’s, for root,swap,and home.

Press Enter and return to the LVM configuration screen

Then select Finish then Enter…










Partition Overview screen showing LVM volumes




Now we’re back at the partition overview screen.

As you can see, we now have 3 LVM volumes, for home, root, and swap.

This is all contained within the encrypted volume we made earlier.










Now we have to set the mount points and filesystem types for the 3 logical volumes…

Set mount points and filesystem types for the logical volumes


Select the home LV





Select the “home” LV like I have in the screenshot,  then press Enter.










Select Use as





Select Use as , then select “Ext4 journalling file system










Select Mount Point




“Select “Mount point:” , and choose “/home – user home directories

Then select “Done setting up the partition“…









Select the root LV




Similarly, select the “root” LV , then select “Use as: , choose “Ext4…” , then select “Mount point” and choose “/ – the root file system” for this.

Then select Done setting up the partition.








Finally configure swap




Lastly, select the “swap” LV.

Select “Use as

Then choose “swap area

Then select Done setting up the partition.









Completed encryption and lvm setup! Phew!





You should end up with something resembling this screenshot, with encrypted LVM mount points for home, / , and swap, and another mount point for /boot which is not encrypted.

Now it’s time to select “Finish partitioning and write changes to disk” !!










Summary of changes and confirmation




Next up is a summary and confirmation page. Select Yes if yours looks good, then Enter…

The installer will now perform all the writing and formatting operations required.

After that is done, we can now proceed to install the base system!









Select Install the base System





Select “Install the base system“… the installer will now fetch and install the base system…








Select your kernel





After that’s done, select your kernel… I’ll choose the default “linux-image-3.1.0….”








Select the drivers





Next select the initrd. I chose the “generic” one, which will include all available drivers… you might add or change hardware in the future…










Configure the package manager




Next select “Configure the package manager” …

It’ll ask about non-free software. Your choice. Personally I like to have a system that has useful stuff on it so I choose “Yes” to install non-free software…










Select updates





Next up : Select updates. Since I’m installing the “testing” distribution, there’s no need to select “volatile” updates, so TAB to Continue…










Select and install software




Next up : select Select and install software…

  • Choose whether or not to participate in the popularity contest…
  • Choose whether or not “man” and “mandb” should be “setuid” – I always answer “No” to this…









Choose software to install





Next up is to choose what you want your machine to be.

I’ll keep the desktop environment default, plus I like being able to SSH to my machines so I’ll also select SSH server, and I’ll keep the Standard system utilities default as well. Then TAB to Continue








Packages being downloaded and installed




The installer will now download and install all the packages required, depending on the choices you made earlier.

This part takes time :)









Answer the questions during install





Watch out for the odd question during the install too….










Install the boot loader





Now it’s time to install the boot loader – GRUB is usually the boot loader of choice these days, so select this option…









Detected Windows and is it OK to install





And the GRUB installer has detected Windows (it says Vista but it’s actually Windows 7 heh)… Answer “Yes“…















And finally! Select “Finish the installation”!








System clock question





Is the system clock set to UTC or not? Usually it is. Mine is, so I answer “Yes” and hit Enter…









Installation Complete! Gasp!





We’re finally done! Remove the installation media and press Enter…









Grub Menu




The system resets and here we are – you can select between Debian and Windows… let’s boot up Debian…









Enter the pass phrase




And this is where you enter your pass phrase to gain access to your encrypted system. You do remember the pass phrase, don’t you?








Booting up!




Luckily I remember my password and now the system is booting up! :D













There we go! Success.








And that’s it. Take it from there, to customize your new encrypted Debian installation to your liking.

Perhaps the next thing to look into, is how to fully encrypt your Windows 7 installation as well – that would probably be done using Truecrypt – and I may look into that soon!

How did you get on with this tutorial? Let me know!

VN:F [1.9.22_1171]
Rate This Article
Rating: 9.9/10 (34 votes cast)
How to install and multi-boot between Windows, and Debian Testing with full disk encryption, 9.9 out of 10 based on 34 ratings
Share the knowledge :
Facebook Twitter Pinterest Linkedin Digg Delicious Reddit Stumbleupon Posterous Email Snailmail

7 comments to How to install and multi-boot between Windows, and Debian Testing with full disk encryption

  • ssta

    Another nice writeup.  I’ll link to it from Facebook.

    I hope you write more, you have a really clear style.

    Since we were discussing it on IRC the other day, I had some ideas for possible future articles:

    • sudo: Why it’s a Good Thing, how to use it, and the main point: how to set it up properly. /etc/sudoers must be the one of the most incomprehensibly documented piece of arcana in the while of the Unixverse…a place which is already filled with inadequetly documented pieces of arcana.
    • Backups: Why they’re good — yes, really, there are people who don’t realise that hard drives die, regularly. There’s probably a law somewhere (if not let’s christen it ssta’s law) that the probability of hard drive failure is directly proportional to how much you will be screwed over by it’s death. Creating a good backup regime is as much art as science, and it’s an excellent candidate for an article. My backup practices are somewhat ‘out there’ in that I prefer to roll my own solutions tailored exactly to the needs of the moment (and backup scripts can be fun to hack on) — so I really have no clue of the current state of the art of free backup solutions.
    • Robust file-systems: No, LVM and/or RAID do not qualify as robust exactly…they’re better than nothing, but only in the same way that having only one eye is better than being blind. btrfs and zfs type stuff, distributed filesystems like moosefs. Understanding the trade-offs between performance and reliability, etc.
    • How to pick good passwords — probably the most useful of the lot. Most people have no idea how to do this.
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • marti

    Great how-to and very well explained. So far I had only found how to install encrypted debian in a HDD (wuth no Windows nor other OS in it), so thank you

    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • Thanks for this extremely clear and well-written article. If you can indulge one question: how up-to-date are these instructions? I am considering full-disk encryption on a new Debian xcfe installation in a dual boot scenario. Started to try it once, and choked and backed out when I realized I did not understand what I was doing. Armed with this knowledge I wouldn’t mind giving it another go, but I am hoping 4+ years later I can count on the general procedures being the same.

    Fact is, as I am beginning to realize, if you want serious encryption then you have to do your homework. I don’t mind this, but it’s tough for non-geeks. So they end up having their privacy abused by Microsoft, et al.

    Your readers might also enjoy this: https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/

    Thanks again for the article.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • Hi david, and thanks :)

      TO be honest I have no idea how accurate the article is now – it was written a long time ago and I haven’t performed that operation for ages.

      But I imagine that the procedure is more or less the same today as it was then. Only one way to find out of course ;)

      I reckon that as long as you take a full backup of your stuff – like a full disk image – then you should be fine to experiment.


      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
      • then if I do it, as I expect I eventually will, I will report back and let you and all your readers know how up-to-date it is and how beautifully it went! :-)

        VA:F [1.9.22_1171]
        Rating: 0 (from 0 votes)
  • brown

    Thank you very much! This guide is very well written and still works for current Linux installations.

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • […] – Example steps can be found at “Kali Linux Hard Disk Install” and “How to install and multi-boot between Windows, and Debian Testing with full disk encryption&#… […]

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.