Pre-Installation
My machine is configured (during installation) to have Secure Boot disabled. After completing the installation, I will re-enable Secure Boot in the Secure Boot section of this guide.
A step-by-step guide to installing Debian with Secure Boot, custom signed modules, LUKS Full Disk Encryption with TPM2 auto-unlock, and installation of the DKMS NVIDIA driver. There are also a few other random tidbits along the way that may prove to be useful depending on your specific needs.
This guide is primarily designed for Debian, however it should hold true for any Linux distro that is based off of Debian. It should also generally work for any other Linux distro, but some commands, packages, and config file locations may be different for your flavor of Linux. I try to keep explanations of why things are done and what the point is of the things I do, so it may not take someone more experienced in Linux installation and configuration much time to adapt this to another distro (with modifications I also follow this guide when installing Arch Linux).
If you’re planning to install Debian (or a Debian-based OS) onto a portable storage device (like a flash drive, external hard drive, etc.) check the USB Installation Specifics page before you proceed, as there are differences in the process along the way.
My machine is configured (during installation) to have Secure Boot disabled. After completing the installation, I will re-enable Secure Boot in the Secure Boot section of this guide.
These are general guidelines before you start to install the OS onto a portable drive. The nice thing about the approach that I take when setting up Debian makes it fairly simple to extend these same instructions onto USB storage. If you’re not using USB storage for your Debian installation, you can safely skip this section.
After installing Debian the first thing I’m going to do is set up Secure Boot. Usually, I’ll start with Secure Boot since some other setup and configuration requires the signing of kernel modules and I like keeping Secure Boot itself out of the equation when those steps come up.
Setting up LUKS to load encryption keys from the TPM2 device on the system is a pretty simple effort overall. We’re just
going to be creating a new key for the disk, adding the key to the LUKS partition, adding the key to the TPM, and
finally setting up crypttab to load the key from the TPM when the system starts up.
For adding a swap space on the system, I prefer using zRAM for having a compressed memory space. This, in theory, should be faster than using a traditional swap space since zRAM compresses the memory that it’s using which would result in lower disk space usage, and faster swapping from disk to memory.
Installing NVIDIA drivers should go fairly smoothly after you set up Secure Boot. This is (mostly) here just to show how loading new kernel modules should go now that we have our Secure Boot MOK key enabled. This is because when we created our Secure Boot keys we set up DKMS to find our kernel module signing keys.
As an (optional) nicety I like having Plymouth installed for showing a boot splash screen on the loader. What’s
especially nice is that after this is enabled you can still press Esc to show the output (for debugging startup
issues).
This is a list of some common issues that I’ve had while running through this process and how to get out of them. It is by no means exhaustive, but I’ll do my best to keep it up-to-date as I go through this more.