Secure Debian Installation Guide

A step-by-step guide to installing Debian with Secure Boot, custom signed modules, LUKS Full Disk Encryption with TPM2 auto-unlock, and installation of the DKMS NVIDIA driver. There are also a few other random tidbits along the way that may prove to be useful depending on your specific needs.

This guide is primarily designed for Debian, however it should hold true for any Linux distro that is based off of Debian. It should also generally work for any other Linux distro, but some commands, packages, and config file locations may be different for your flavor of Linux. I try to keep explanations of why things are done and what the point is of the things I do, so it may not take someone more experienced in Linux installation and configuration much time to adapt this to another distro (with modifications I also follow this guide when installing Arch Linux).

Note
I also follow this guide for installing Kali as it is based on Debian (and the Debian installer).

If you’re planning to install Debian (or a Debian-based OS) onto a portable storage device (like a flash drive, external hard drive, etc.) check the USB Installation Specifics page before you proceed, as there are differences in the process along the way.

USB Installation Specifics

These are general guidelines before you start to install the OS onto a portable drive. The nice thing about the approach that I take when setting up Debian makes it fairly simple to extend these same instructions onto USB storage. If you’re not using USB storage for your Debian installation, you can safely skip this section.

Set Up Secure Boot

After installing Debian the first thing I’m going to do is set up Secure Boot. Usually, I’ll start with Secure Boot since some other setup and configuration requires the signing of kernel modules and I like keeping Secure Boot itself out of the equation when those steps come up.

Unlock LUKS with TPM2

Setting up LUKS to load encryption keys from the TPM2 device on the system is a pretty simple effort overall. We’re just going to be creating a new key for the disk, adding the key to the LUKS partition, adding the key to the TPM, and finally setting up crypttab to load the key from the TPM when the system starts up.

Install and Configure zRAM

#debian  #zram 

For adding a swap space on the system, I prefer using zRAM for having a compressed memory space. This, in theory, should be faster than using a traditional swap space since zRAM compresses the memory that it’s using which would result in lower disk space usage, and faster swapping from disk to memory.

Troubleshooting

This is a list of some common issues that I’ve had while running through this process and how to get out of them. It is by no means exhaustive, but I’ll do my best to keep it up-to-date as I go through this more.