Debian small secure installation guides

tier1.jp provided multiple Debian installation guides.

Our main objective is how to obtain small footprint Debian installation with security settings and future extensibility, using LVM-over-LUKS with multiple mountpoints setting.

We published two versions for stretch. In 2019 Debian team released their new stable "buster".

Once we tried to "add buster version", but gave it up since most part would be same with the stretch guides, and we ourselves are using both stretch and buster.

We need to modify those guides into one "generic version".

This page is for its introduction, history, and rationale.

Rev 2020-04-18

Now working for generic version (not available yet). Old guides are frozen (no more updates for them).

Add notes about driver issues with very recent amd64 machines.

Common Idea

Debian GNU/Linux's official installation guides are fine. tier1.jp want to make Debian GNU/Linux secure and smaller to obtain our own workstations and local servers, etc.

We published our internal guides to install Debian GNU/Linux with multi-mountpoint encrypted LVM filesystem and AppArmor, GNOME desktop with Japanese input method, etc., with a bit explanations.

  • We want the system to be small and secure.
    • Basically we use expert mode to install Debian GNU/Linux.
    • We use LVM-over-LUKS pattern to encrypt the system except /boot.
    • We recommend utilizing securetty at most.
    • No sudo, no su basically.
  • Our target system is recent amd64 CPUs.
    • Mostly Intel Core 6th gen and later. Ideally Skylake and Kaby Lake.
      • Be careful when you want to use stretch with Coffee Lake and later (8th and 9th).
        • Their chip revisions may differ and cause driver issues, even their product name is same.
      • Intel 10th gen. Core CPUs will have various architecture.
      • tier1.jp will not test those 10th gen Core CPUs in 2019.
    • AMD Ryzen with dGPU and/or Ryzen APU are not covered (due to our test env).
      • Linux 4.19 (buster kernel and stretch backported) might support them.
    • Intel Core-X and AMD Threadripper requires dGPU and we do not use Debian GNU/Linux for such machines (we did not test them).
  • We assume single SSD/NVMe storage configuration.
    • Multiple LVM-over-LUKS guide would be available in the near future.
  • Later parts show some extra HOWTO.
    • GNOME desktop with least Japanese env (input method and fonts).
    • Small footprint system monitoring and log managements, etc.

Actual Guides

We provided two versions of guides for Debian stretch (9.11).


Those "stretch guides" could be used for buster installation.

For stretch, we are no longer testing clean installation check so much.

Some parts are not updated sufficiently.

stretch basic version.
Recommended. Multi-mount-points-on-LVM-over-LUKS with AppArmor.
stretch with read-only root filesystem
A bit tricky "read-only root filesystem" Debian stretch. In case you are interested in (not complete ro. /var and /home are rw).
buster/stretch generic version (N/A).
This is a "partial ro LVM-over-LUKS on multiple storage devices". We are considering to publish this after the buster 10.4 release (or later), since GNOME related problems remain and warning/error logs are significantly increased compared with stretch.


We tried to keep those stretch guides up-to-date until we ourselves upgrade our internal system totally, but frozen them because of our resource shortage. Apology.


Readers should at least once install some GNU/Linux without GUI and know about basic GNU/Linux commands and shell operations.

Command lines are pseudo codes

Those guides are step-by-step with some commands but use pseudo-commands.

user$ ls # commands which normal user can run start with "user$".
root# blkid # "root#" means it requires root privilege.
root# mount /dev/sdX /mnt/example # sdX is NOT actual.

We do not use "sed" and/or other-regex-replacements

In many guides configuration files are modified with regular expression replacements such like s/some_one/into_another/.

We do not use those commands, and the reasons why are:

  1. Readers might not read the configuration file, which provides plenty information on their comment lines.
  2. regex replacements are highly risky. It could modify what you do not want.
  3. We think regex replacements should only be used in shell scripts where you know about the target file structure very well.

We recommend you to use GNU nano

So, that's also why we use nano to edit some configuration files, with least information about what to do (add/modify/remove).

root# nano /etc/fstab # means you should use "nano" and edit,
tmpfs /srv/sample tmpfs nosuid,nodev 0 0 # in this case, add like this.
root# nano /etc/lvm/lvm.conf # edit issue_discard.
issue_discard = 1 # find (Ctrl-W "issue_d") and modify its value into "1".

Most cases those files tell you about what each line means in their comments.

The choice of editor does not matter so much. However considering availability and small footprint installation, we think GNU nano is nice.

About Debian buster

Our observations for buster

tier1.jp has been testing Debian buster since it was "testing" release, and decided not to upgrade our own system to buster in 2019.

Rather, we prefer Debian stretch ("oldstable" now, 9.12).

Major points are LUKS2, LVM ,and GNOME/Wayland apps instability.

  • LUKS2 features are only obtained by buster clean installation.
    • Upgrading from stretch can not have full-featured LUKS2.
  • In our test machine, upgraded buster shows more LVM related warning logs compared with buster clean installation.
    • In short, for LVM-over-LUKS machines, "buster" is NOT "upgraded stretch".
  • GNOME/Wayland shell and apps are unstable.
    • Intel UHD Graphics has DRM hangs and rcs0 resets.
      • Most cases it recovers, but a few cases video had kept gone (reset timeout).
    • Changing GNOME/X.org-on-buster is not our option.
    • We only use GNOME. We do not use other window managers.


Debian buster itself is stable.

Those issues come with LVM-over-LUKS GNOME system.

What we think important is Python

We must upgrade Python2 scripts ASAP.

We also have to be careful about Debian python packages.

Some python packages are upgraded to use Python3 instead of Python2 (it means some packages use different version of Python among stretch and buster). Your Python projects might behave differently when you upgrade from stretch to buster, and you need to deal with them.

  1. Python2 upstream support will be ended in early 2020.
  2. Next Debian release "bullseye" would drop Python2.

Updated: 2019-10-16

  • About LUKS2 and full disk encryption.
  • Debian buster ISO image does not provide fdisk by default.
    • Choose fdisk-udeb on "Load installer components from CD" if you want it.
  • Debian buster installs and enables AppArmor.
    • "expert install" only install least AppArmor related packages.
    • You can skip some steps to enable AppArmor in buster.
  • Debian buster "expert install" still needs some workarounds.
    • /var/mail owner and permission (when you separate that mount point).
    • LVM issue_discard = 1 option (on SSD/NVMe).
  • Debian buster uses "merged /usr".
    • May cause problems with our installation guide; especially around /lib.
    • Your AppArmor profile path should be updated.
  • gnome-core installs plymouth (boot time animation and more).
    • We do not recommend it.
  • mutt and neomutt separation.
    • mutt does enough for local logcheck summary mails.

for more detail, please read buster release notes (updated frequently).

published: MODIFIED: