Encrypting root on an existing Debian lenny installation

Once in a time, I get to travel to places that make me worry about the
data on my laptop. This time, it is not the US, but another openly democratic
country where they kill you for a joint, let alone nude pictures. Enough
politics, though.

I have a laptop with the /boot in a separate partition, followed by
a /root partition and a /swap. Having a separate /boot
is mandatory, as the BIOS has to load an unencrypted kernel and its initrd
before being able to access the encrypted partition. Another option is to keep
/boot on a USB stick, but its setup can take a whole other

First things first, let us install software for managing encrypted disks and
updating the initrd image:

aptitude install cryptsetup initramfs-tools

We have to make sure that the encryption modules are present on the initrd,
so I add the following three modules to the initrd config:

echo aes-i586 >>/etc/initramfs-tools/modules
echo dm-crypt >>/etc/initramfs-tools/modules
echo dm-mod >>/etc/initramfs-tools/modules

Next step is to inform cryptsetup and inittab of the partition mapping
between /dev/hda2 (the physical device) and /dev/mapper/root
(its encryption interface).

echo "root /dev/hda2 none luks" >>/etc/crypttab
sed -i 's#/dev/hda2#/dev/mapper/root#' /etc/fstab

We also have to change the root device for grub the same way we did it for

sed -i 's#/dev/hda2#/dev/mapper/root#' /boot/grub/menu.lst

Now, recreate the initrd image by issuing