This guide is intended at aiding users that want to install Linux LMDE on their system with whole disk encryption, that is, everything on the system is encrypted on-the-fly and transparently to the user, except for a small boot partition that will be used to start everything else. As a side bebefit, we will also install Mint on top of LVM volumes.
It is assumed that the user following this guide is acquainted with the command line, and with the concepts involving the procedures outlined here. For you to be able to perform the guide you need the computer you will be working on with an Internet connection, the installation media, and some sort of removable media (e.g. usbstick, external hard disk, etc, big enough to hold a Mint installation) that is recognized by the system as a regular disk (e.g. sd*, hd*, also note that this is only due to limitations on the installer).
WARNING: beginners, be aware that following this guide blindly will irrevocably destroy all your data!
Have said that, one can never stress too much how important is to have all your important data backed up properly before following procedures such as the one described herein.
2. Preparing the disks
First you need to prepare your disks to be encrypted, and although this step is a very tedious one, it is crucial to have your disk properly sanitized before you proceed, or you risk having residual data disclosed.
To satinitize the disk you will be installing Mint LMDE into (assumed as sda in this guide), first boot your Mint installation media, and open up a terminal (Menu -> Terminal), and type the following to become root:
- Code: Select all
sudo su
You can sanitize your disk by a variety of methods, I've personally used plain old dd, but I've also heard of a good tool called shred that is also included in Mint's installation disk. To wipe everything with dd, run the following a couple of times (the more passes you make, the more securely your hard disk will be sanitized):
- Code: Select all
dd if=/dev/urandom of=/dev/sda& pid=$!
This will get dd running on the backgroung, you will notice some activity on the disk. This will take a longe time that depends primarily on the size of your disk (it took me one and a half day per pass on a 250 GB disk). You can see dd status by issuing the following command to the terminal:
- Code: Select all
kill -USR1 $!
After sanitizing your disk you should create two partitions:
- sda1: primary, 512 MB in size, beginning of the disk, bootable flag set, type Linux
sda2: primary, occupying the rest of the disk, type Linux
One great tool for creating the partitions is cfdisk, which comes preinstalled with Mint. It is very intuitive and ease to use, you choose the command to be performed with 'Enter', and navigate between the commands and partitions with the arrow keys; I'm sure you will find your way
If cfdisk complains about an unknown partition table type, choose to start with a zero table. Don't forget to write the changes to the disk after editing the partition table. You can start cfdisk with:- Code: Select all
cfdisk /dev/sda
3. Getting an intermediate Mint install
Next, you should install Mint to the removable media you have handy (assumed here as being sdb). Before initiating the installer you should use cfdisk once more to create one single big partition on the device (named sdb1). Create it primary, occupying the whole disk, bootable flag set, type Linux:
- Code: Select all
cfdisk /dev/sdb
Use the regular Mint installer to install to it on the removable device as you would regularly install it onto your hard disk. Once asked where to install the grub boot loader, choose /dev/sdb. Don't reboot the computer once the install is finished.
After finishing the procedure outlined here the device can be used as a persistent Mint live media, like a recovery media for example, or you can just delete this intermediate Mint install.
4. Setting up LUKS encryption and Logical Volume Management
Before proceeding, we must install the relevant utilities on the installation media.
- Code: Select all
aptitude update
aptitude install cryptsetup lvm2
Next, we set up encryption on the big partition we created earlier on the target computer disk. You can use different ciphers, modes of encryption and/or key-sizes, but these ones are pretty good defaults. Also, be sure to choose a sufficiently long passphrase, preferably with upper case, lower case, special symbols and punctuation. Keep in mind that if you forget your passphrase you will have to crack it or your data will be lost forever, so choose a passphrase that you can remember.
- Code: Select all
cryptsetup luksFormat --cipher aes-xts-plain --key-size 512 /dev/sda2
After creating the vault, we must map it through Linux kernel to a virtual block device. This is accomplished by openning the LUKS device:
- Code: Select all
cryptsetup luksOpen /dev/sda2 sda2_crypt
Next we will set up LVM. First you need to instruct LVM which devices you will be using as physical volumes:
- Code: Select all
pvcreate /dev/mapper/sda2_crypt
Now create the volume group itself:
- Code: Select all
vgcreate vg /dev/mapper/sda2_crypt
Now we can add the logical volumes to the setup. The logical volumes are the containers that will hold the file systems, so you can imagine them as being more or less like standard partitions, but with a lot more flexibility. The partitioning scheme is a subject of much debate, and I won't get into it in this guide. The scheme shown here is just for informational purposes, and shouldn't be regarded as being accurate in any manner. If you want further advice I'd suggest the Debian Installer Guide (http://www.debian.org/releases/stable/i386/apc.html.en) as a great resource on this subject (and many others).
To illustrate the procedure in this guide, we will be setting up five different volumes, for the following mount points: swap, /, /var, /usr and /home. Note that there is one further mount point that we will be using (namely /boot), but that will reside on it's own partition. You can adapt to your own needs (note the lowercase 'l' in the last command, this is to illustrate some of the possible syntax the command accepts):
- Code: Select all
lvcreate -n swap -L 1G vg
lvcreate -n root -L 1G vg
lvcreate -n usr -L 3G vg
lvcreate -n var -L 2G vg
lvcreate -n home -l 100%FREE vg
Next, we create the needed file systems:
- Code: Select all
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-usr
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap
5. Copying the intermediate Linux Mint install to it's final location
We had to make an intermediate Mint install earlier because the default installer won't recognize the LVM volumes we had just set up. So we will use this install as the source to our final Linux Mint install. First we set up some mount points:
- Code: Select all
cd /mnt
mkdir target source
Now we mount the root target and the source file systems:
- Code: Select all
mount -t ext4 /dev/mapper/vg-root /mnt/target
mount -t ext4 /dev/sdb1 /mnt/source
Now we can create the remaining mount points:
- Code: Select all
cd target
mkdir usr var home boot
And mount the rest of the file systems on their respective mount points:
- Code: Select all
mount -t ext2 /dev/sda1 boot
mount -t ext4 /dev/mapper/vg-usr usr
mount -t ext4 /dev/mapper/vg-var var
mount -t ext4 /dev/mapper/vg-home home
Now we can copy everything from the source intermediate Mint install to it's final destination:
- Code: Select all
cp -av /mnt/source/* ./
6. Fixing the target system
If we weren't using LUKS and LVM this would be an almost working setup. But since we are using these, we must make the target system aware of it, and thus we should fix a couple of thinks.
Since we're going to chroot on the target system soon, it is worth enabling swap space first:
- Code: Select all
swapon /dev/mapper/vg-swap
First we need to mount some aditional file systems to be able to properly use our target system once we chroot into it:
- Code: Select all
mount --bind /dev dev
And we also need to have the domain name resolver working on the new system, so we copy the resolv.conf file to the target system:
- Code: Select all
cp /etc/resolv.conf etc
Next we can chroot into our fresh Mint install:
- Code: Select all
chroot /mnt/target /bin/bash
We just export some variable to remeber us that we are in a chroot'ed environment:
- Code: Select all
export PS1="[chroot] $PS1"
And mount the remaining virtual file systems:
- Code: Select all
mount -t devpts devpts /dev/pts
mount -t tmpfs tmpfs /dev/shm
mount -t proc proc /proc
mount -t sysfs sysfs /sys
Now we install LUKS and LVM on the target system:
- Code: Select all
aptitude update
aptitude install cryptsetup lvm2
Nope, we haven't taken this step yet. Earlier we installed LUKS and LVM on the live installation media, now we're installing it on the target system. You remember that, right?
After installing the tools, we need to set some configuration files up, so that the system know how to properly boot once we finish fixing it. First, create the map for the encrypted partition on /etc/crypttab:
- Code: Select all
echo 'sda2_crypt /dev/sda2 none luks,tries=3' >> /etc/crypttab
And than we need to recreate /etc/fstab to reflect the layout we have used through this guide. To edit it you can issue on the command line:
- Code: Select all
nano /etc/fstab
For the setup we have used here, the following fstab is a valid one. Use it as a template, and adapt it to your own needs. Be sure to remove the entries that were added by Mint installer when we made the intermediate install:
- Code: Select all
# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sda1 /boot ext2 defaults 0 2
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/mapper/vg-root / ext4 defaults,errors=remount-ro 0 1
/dev/mapper/vg-usr /usr ext4 defaults 0 2
/dev/mapper/vg-var /var ext4 defaults 0 2
/dev/mapper/vg-home /home ext4 defaults 0 2
/dev/mapper/vg-swap none swap sw 0 0
proc /proc proc defaults 0 0
Nex we need to add configure your initramfs-tool, so that it can include the propper modules every time your initramfs is (re)generated. Edit the file with:
- Code: Select all
nano /etc/initramfs-tools/modules
Make it look like the following:
- Code: Select all
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
dm-crypt
aes-x86_64 # if you're installing on a 32-bit architecture, set to aes-i586
xts
sha256_generic
sha512_generic
ahci # needed because of my sata controller, set yours accordingly
Regenerate your initramfs:
- Code: Select all
update-initramfs -uv
Make sure you will get the right options at the grub menu:
- Code: Select all
update-grub
And install grub to the MBR of your hard disk:
- Code: Select all
grub-install /dev/sda
Having finished this, lets prepare our computer to reboot:
- Code: Select all
exit
umount dev/pts
umount dev/shm
umount dev
umount usr
umount var
umount home
umount boot
umount target
swapoff /dev/mapper/vg-swap
vgchange -a n
Now cross your fingers, remove the installation media, the removable device on which you did the intermediate install and reboot your system. When your system starts, it should ask you for the LUKS password you had set up earlier. Type it after the following prompt, nothing should be echoed back to the screen, this is normal behaviour:
- Code: Select all
Enter passphrase:
Log into the user account you created when doing the intermediate install, and congratulations, you're done.
