Skip to Content

Minimal Debian

Posted on

Debian Vader)

Debian 9 “Stretch” is the latest stable release of the popular Linux operating system. I use Debian’s minimal network install image to create a console-only base configuration that can be customized for various tasks and alternate desktops. 1

Let’s go!

Debian GNU/Linux is an operating system created by volunteers of one of the largest and longest-running free software projects in the world. There are 3 release branches: stretch/stable, buster/testing, and sid/unstable.

Below is a visual walk-through of a sample workstation setup that makes use of the entire disk divided into 2 partitions: a boot partition, 2 and an encrypted partition used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes). Installing LVM on top of the encrypted partition allows:

  • creation of multiple LVs protected by a single passphrase entered at boot time
  • dynamic resizing of filesystems (set aside unallocated space and make use of it as needed)
  • snapshots of filesystems that can be used as backups or to restore a previous state 3

0. Prepare install media

Download the (unofficial with firmware) 64bit firmware-9.0.0-amd64-netinst.iso or the 32bit firmware-9.0.0-i386-netinst.iso for older machines. Verify the PGP signature and flash the image to a USB stick. 4

Minimal installer (requires network connection) downloads all the latest packages during setup.

1. Launch


Select language

Select location

Configure keyboard



Root password

Verify password

Full name


User password

Verify password

Select time zone

2. Partitions

Sample layout:

  • sda1 is a 512MB boot partition
  • sda2 uses the remaining storage as a LUKS encrypted partition
  • LVM is installed on the encrypted partition, and contains a volume group with the 3 logical volumes root + swap + home

Partitioning method

Partition disks

Partition table

Free space

New partition

Partition size

Primary partition


Modify the default mount options … 5

Mount point: /boot
Mount options: relatime
Bootable flag: on


Free space

New partition

Assign the remaining storage to the encrypted partition …

Partition size

Primary partition

Modify the default mount options …

Use as: physical volume for encryption
Erase data: no

If the hard disk has not been securely wiped prior to installing Debian you may want to configure Erase data: yes. Note, however, depending on the size of the disk this operation can last several hours.

Physical volume for encryption

Configure encrypted volumes

Write changes

Create encrypted

Devices to encrypt



Verify passphrase

Partition disks

Modify the default mount options …

Use as: physical volume for LVM

Physical volume for LVM

Configure LVM

Write changes

Create volume group

Vg name

Device for vg

Create lv


Lv root

Lv root size

Create lv


Lv swap

Lv swap size

Create lv


Lv home

Set aside some unused space for future requirements. LVM makes it easy to expand or create new filesystems as needed …

Lv home size

Finish lvm

Select lv root

Modify the default mount options …

Use as: Ext4
Mount point: /
Mount options: relatime

Lv root config

Select lv swap

Modify the default mount options …

Use as: swap area

Lv swap config

Select lv home

Modify the default mount options … 6

Use as: Ext4
Mount point: /home
Mount options: relatime
Reserved blocks: 1%

Lv home config

Finish partitioning

Write changes

3. Install packages and finish up

Configure package manager

Use the Debian global mirrors service

Mirror hostname

Mirror directory


Popularity contest

Select only [*] standard system utilities and leave the remaining tasks 7 unmarked …

Software selection

Packages are downloaded and the installer makes its finishing touches …


Install GRUB to MBR

GRUB device


4. First boot

GRUB menu

User is prompted for the passphrase to unlock the encrypted partition …

Unlock passphrase


Login and run timedatectl to confirm system date+time is properly configured.


After running a minimal install on my Acer C720 Chromebook with encrypted swap + home partitions I ran into this issue: “Black screen instead of password prompt for boot encryption”.

I had to enter my passphrase blind and ALT+F1 to console. When I tried removing the GRUB options splash and/or quiet I lost the ability to enter the passphrase at all and a hard reset was required.

[ Fix! ] Modify /etc/default/grub

## Force the kernel to boot in normal text mode with '=text'

… and update …

# update-grub

Now it works! My chromebook is currently the only device I have run into this issue.

Link: GNU gfxpayload

6. Network

Check which network interfaces are detected and settings …

ip a

Wired interfaces are usually auto-configured by default and assigned an IP address courtesy of DHCP.

To assign a static address, deactivate the wired interface and create a new entry in /etc/network/interfaces. 8 Sample entry for enp3s0

# The primary network interface
auto enp3s0
iface enp3s0 inet static

Bring up|down interface with if{up,down} enp3s0.

Create a temporary wireless interface connection to WPA2 encrypted access points manually using wpa_supplicant + wpa_passphrase + dhclinet. Sample setup of wlp1s0 (as root) …

ip link set wlp1s0 up             ## bring up interface
iw dev wlp1s0 link                ## get link status
iw dev wlp1s0 scan | grep SSID    ## scan for access points
wpa_supplicant -i wlp1s0 -c<(wpa_passphrase "MY_SSID" "MY_PASSPHRASE")   ## connect to WPA/WPA2 ... add '-B' to background process
dhclient wlp1s0                   ## obtain IP address

More permanent configurations may be set in interfaces. Sample setup 9 with a static IP address …

iface wlp1s0 inet static
wpa-ssid MY_SSID

Alternative setup using DHCP …

allow-hotplug wlp1s0
iface wlp1s0 inet dhcp
wpa-ssid MY_SSID
wpa-psk MY_PASSPHRASE                                       

Once a link is established install an (optional) network manager utility. Packages network-manager and network-manager-gnome provide the console nmcli and graphical nm-applet clients respectively . Comment out (deactivate) any entries in interfaces that will be managed by network-manager.

7. Upgrade

Install any upgrades …

apt update; apt full-upgrade

8. Secure access using SSH keys

Create cryptographic keys, install the OpenSSH server, and configure remote access.

9. Main, non-free, contrib, and backports

Debian uses three archives to distinguish between software packages based on their licenses. Main is enabled by default and includes everything that satisfies the conditions of the Debian Free Software Guidelines. Non-free contains packages that do not meet all the conditions of the DFSG but can be freely distributed, and contrib packages are open-source themselves but rely on software in non-free to work.

Backports contains packages drawn from the testing (and sometimes unstable) archive and modified to work in the current stable release. All backports are disabled by default (to prevent unintended system upgrades) and are installed on a per PACKAGE basis by running …

apt -t stretch-backports install PACKAGE

Modify /etc/apt/sources.list to add contrib, non-free, and backports …

# Base repository
deb stretch main contrib non-free
deb-src stretch main contrib non-free

# Security updates
deb stretch/updates main contrib non-free
deb-src stretch/updates main contrib non-free

# Stable updates
deb stretch-updates main contrib non-free
deb-src stretch-updates main contrib non-free

# Stable backports
deb stretch-backports main contrib non-free
deb-src stretch-backports main contrib non-free

Any time sources.list is modified be sure to update the package database …

apt update

10. Automatic security updates

Fetch and install the latest fixes courtesy of unattended upgrades.

11. Sudo

Install sudo to temporarily provide your USER (example: foo) account with root privileges …

apt install sudo
adduser foo sudo

To allow foo to shutdown or reboot the system, first create the file /etc/sudoers.d/00-alias containing …

# Cmnd alias specification
Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/reboot, /sbin/shutdown

Starting with Stretch, if you run as USER the command dmesg to read the contents of the kernel message buffer you will see …

dmesg: read kernel buffer failed: Operation not permitted

Turns out it is a (security) feature not a bug!

To allow foo to read the kernel log without being prompted for a password - and use our newly-created Cmnd_Alias SHUTDOWN_CMDS - create the file /etc/sudoers.d/01-nopasswd containg the NOPASSWD option …

# Allow specified users to execute these commands without password

I add aliases for the commands in my ~/.bashrc to auto-include sudo

alias dmesg='sudo dmesg'
alias poweroff='sudo /sbin/poweroff'
alias reboot='sudo /sbin/reboot'
alias shutdown='sudo /sbin/shutdown'

12. SSD

Periodic TRIM optimizes performance on SSD storage. Enable a weekly task that discards unused blocks on the drive …

cp /usr/share/doc/util-linux/examples/fstrim.{service,timer} /etc/systemd/system/
systemctl enable fstrim.timer

13. Where to go next …

… is up to YOU. I created a post-install configuration shell script that builds on a minimal install towards a more complete console setup, and can also install the i3 tiling window manager plus a packages collection suitable for a workstation.

Happy hacking!


  1. Image courtesy of jschild. [return]
  2. Note that encrypted root requires an unencrypted boot. [return]
  3. Very helpful! LVM post on the Arch Wiki. [return]
  4. An alternative is adding the image to a USB stick with multiple Linux installers. [return]
  5. Mount options: relatime decreases write operations and boosts drive speed. [return]
  6. Reserved blocks can be used by privileged system processes to write to disk - useful if a full filesystem blocks users from writing - and reduce disk fragmentation. On large non-root partitions extra space can be gained by reducing the default 5% reserve set aside by Debian to 1%. [return]
  7. Task selection menu can be used post-install by running (as root) tasksel. [return]
  8. Problem: setting the network interface to static address can result in /etc/resolv.conf being overwritten every few minutes with an IPv6 address that breaks DNS. The “fix” is to maually set nameserver in resolv.conf and install the resolvconf package. Note that dns-nameservers entries are ignored if resolvconf is not installed. [return]
  9. Multiple wireless static IP address setups can be created with iface wlp1s0_NAME inet static and [de]activated with if{up.down} wlp1s0=wlp1s0_NAME. [return]