LMDE root and swap encryption

[Karl_MCS]

Hello, first post here. And it's a good one.

My work laptop contains a huge amount of sensitive information. I'm not too concerned about tampering of the boot loader since I basically don't let it out of my sight unless it's in a secure location. What concerns me is theft... if it were to be stolen from my car or something like that. It would be an absolute nightmare if the sensitive information it contains were to get loose.

Most of my activities are workable in Linux, but unfortunately, some of them require Windows. Some of them are just better in Linux, so I multi-boot. I'm looking at reloading my laptop completely, and here's what I want to do. I need to dual boot Windows 7 and (preferably) LMDE, both with full system partition encryption. Each OS will have an unencrypted boot partition, and that's fine, but I want all OS and page/swap partitions encrypted. My general process is to install Windows first, then Linux, and then apply TrueCrypt to Windows last. That keeps me from having to mess around with the boot loaders. Alternatively I could do this without LVM and just use a file-based swap to avoid having to unlock a bunch of stuff at boot. I'm not too concerned about not being able to hibernate.

My setup would look like this:

/dev/sda1: Windows boot
/dev/sda2: Windows C:\ (OS encrypted with TrueCrypt 7.1a)
/dev/sda3: LMDE /boot
/dev/sda5: dm-crypt
/dev/sda5_crypt: LVM
/dev/mapper/lv-root: LMDE /
/dev/mapper/lv-swap: swap

Now, I can do this in Ubuntu with the alternate install disc, but between Unity and my searches getting sent to Amazon by default, I'm just not going there any more. I can partly do it, without LVM, in Mint. For some reason, the "something else" partitioning section of the installer has crypto options but not LVM. No idea why. But I have none of these options in the LMDE installer.

I've been doing some research this morning, and it looks like the most common solution is to install Debian Testing and convert it to Mint. I don't really like that, but I'll do it if that's what it's going to take. But I wanted to look at another approach that I have not been able to find any real info about. When you do manual partitioning in LMDE, it says you will need to mount your filesystems under /target, write your own fstab, and chroot install any additional required software. With a little quick reference, I'm comfortable configuring and mounting LVM via CLI. And I'm familiar enough with fstab that I think I could get through that without much trouble.

So, here's the big question. It seems like it should be possible to install LMDE directly to the encrypted LVM by setting it up manually from the Live CD. I just don't know a.) how to set up the crypto parts, b.) what, if anything, I would need to chroot install for it to remain bootable, or c.) if this will actually work.

Any thoughts?

[ktheking]

When using multiboot systems , the best way would be to go through a BIOS HDD encrypted solution.
This'll make 100% sure you can see the content of your drive without knowing the password.
You'll need to make sure to take backups ,else in case of hardware failure it's also 100% sure ,that 100% of the data will be lost.

[Karl_MCS]

The laptop in question does not support hardware encryption.

[ktheking]

The I'd strongly discourage encrypting with a multi-OS system. The chance is high you'll cross in one way or another encryption systems.
What you can however potentially do is virtualise ,instead of doing multiboot.
Either use windows as main OS ,and virtualise Linux , or use Linux as a main OS ,and virtualise Windows.

If you still are into pain and suffering , have a read on these :
http://www.7tutorials.com/how-encrypt-y ... figuration
http://www.itworld.com/article/2700241/ ... nt-16.html

[Karl_MCS]

The first link is info I already have, and the second is not relevant to my situation as you cannot encrypt a Linux OS with TrueCrypt.

I would like to get back on topic if we could please. I know what I'm getting into and accept full responsibility if it blows up in my face (which it won't). As I said I have done this before in Ubuntu. Just not LMDE which requires it be done manually.

Just pretend for the sake of my question, I never mentioned Windows. I would like to know how to install LMDE directly with encrypted LVM using the manual partitioning option in the installer. I will research this more when I can, but was wondering if anyone had a quick answer.

[kurotsugi]

a lil bit out of topic...since you mentioned that you have seriously important data in your system. you should remember that LMDE is currently abandoned by the devs until 'only god knows when'. even if LMDE2 a.k.a betsy got launched there's no guarantee that current LMDE will survive if you 'dist-upgrade' it. the easiest solution seems to be using ubuntu (you can choose ubuntu flavour if you hate unity. they even have MATE now). if you're insist that 'I must have a debian' then you can use sparkylinux, solydxk, (if you prefer based on testing) or siduction, aptosid (if you prefer based on sid).

http://www.linuxbsdos.com/2011/01/01/ho ... le-system/
http://forums.linuxmint.com/viewtopic.php?f=197&t=71159

[Karl_MCS]

I can deal with Unity, although if I stick with Ubuntu, I may do GNOME instead. My beef with Canonical is that they're turning into Apple and turning Ubuntu into the next Mac OS. I put up with moving all the window controls to the left and hiding window menus at the top, but putting Amazon retail results complete with price tags in my local searches crossed the line.

I have been running LMDE Cinnamon on something else for a bit and like it. Another reason for this choice was that Ubuntu always seems to break during upgrades. I have had a very poor experience with this over the years. My understanding was with LMDE being a rolling release, it shouldn't be breaking every six months. I will have to stick to LTS with Ubuntu.

Learning to set up encrypted LVM by hand would be good experience. Then I can use it on any distro I want. Just wish I could get an answer to my question instead of alternatives and discouragement.

[kurotsugi]

Just wish I could get an answer to my question instead of alternatives and discouragement.

I already give you one http://forums.linuxmint.com/viewtopic.php?f=197&t=71159
in case if you haven't read it, it's detailed step by step tutorial to get LVM on LMDE.

My understanding was with LMDE being a rolling release, it shouldn't be breaking every six months.

if you use LMDE in last 8 months, you probably never knew it, the fact is, something in LMDE is always broke when an UP comes. all rolling release have a tendency to break. you might feel that LMDE is rock stable but that's because LMDE haven't got updated for more than 8 month (and it won't get any update at least until next spring in 2015). it's not rolling at all. it's an abandoned system and many user consider it as a dead project until LMDE2 got released. the development gap between current LMDE and next LMDE is too wide and you'll mostly will forced to reinstall your system when LMDE2 got released.

[Karl_MCS]

I'm not sure what you mean by calling it an abandoned system. The LMDE ISO is only about seven months old (compared to Ubuntu releasing a new ISO every six months, and this is considered a pretty rapid release schedule for an OS). I also get some package updates once or twice per week, although granted not the 30 per week I'm accustomed to seeing with Ubuntu.

Direct quote from the download page: "You don't need to ever re-install the system."

So what you're basically saying is this is all wrong, and advising me not to use LMDE at all?

[kurotsugi]

the iso release date also means the last update packs on LMDE. it means, in general, until LMDE2 got released you won't get any security patch, bug fix, or any kind of updates. LMDE2 will be released when debian jessie becomes stable. it roughtly next spring or one year after it enter frozen period. if you don't mind using an OS with hundreds of security holes for next one year then you can keep using it. last time I check into DSA, a few weeks ago, LMDE have missed more than 300 security patch. LMDE is certainly not a secure system. I was advising to not use LMDE since you said that you have sensitive information on your laptop and you need a secure system.

Direct quote from the download page: "You don't need to ever re-install the system."

theorically, yes. rolling means no more reinstall the system. however, with a long development gap it will very hard to survive from an system upgrade. when LMDE was still using UP system with 3-6 month development gap lot of user can't survive during system upgrage and forced to reinstall his system. when LMDE2 got released, the gap between the latest release and LMDE2 will be 2 years. with these such long gap nothing can guarantee your system will survive after a system upgrade.