Linux Mint Forums

[hashstat]

Introduction

There are several decent guides out there for installing Linux Mint Debian Edition on an encrypted LVM file system. I haven't seen one yet, however, that does this with just the LMDE install DVD and the computer. This howto has you first install Debian Testing using a Debian Testing install CD or DVD, modify the package sources, and then install the LMDE packages. The problem is that you need a good network connection and alot of packages are missing that would be installed with the standard LMDE installer. This guide uses a method similar to the howto below, and is a good reference, but it requires you to install LMDE to some external media that will be copied back; an unnecessary step.

This guide will explain how to install LMDE using nothing but the LMDE install media and a network connection. It is expected that those following this guide are comfortable entering commands in a terminal.

Warning -- The procedure outlined in this document is for installing a clean version of Linux Mint Debian Edition using the entire hard drive. It will overwrite any and all data. Please be sure to backup important data to external media before proceeding.


Overview

This example uses a computer with 2GB of RAM and a 50GB hard drive corresponding to /dev/sda. The hard drive will have two primary partitions: a 200MB boot partition (/boot) and an LVM partition that fills the remainder of the drive. The LVM partition may optionally be encrypted. The procedure varies slightly for encryption, so be sure to watch for those deviations.

First, you will boot the computer using the Linux Mint Debian Edition Live DVD and install some required tools. Next, you will partition the drive, with optional encryption, and create and partition the volumes. Then you will mount the volumes and extract the Live DVD image into them. Finally, you will chroot into the environment and fixup the system for first boot.


Preparation

Begin by backing up all your important data. This process will destroy everything on the disk.

Once you are sure all your data is safe, put the LMDE DVD in the computer and boot the LMDE live image. Open a terminal from the menu. You need superuser privileges for everything, so make life easier by getting a root shell.

Code: Select all

sudo -s


Then the package lists need to be updated. You also need to install lvm2 and squashfs-tools.

Code: Select all

apt-get update
apt-get install lvm2 squashfs-tools


Volume Creation

Next, you must partition the hard drive. You can use your favorite partitioning tool for this (cfdisk, fdisk, parted, etc.). Gparted is a great partition editor, so that is what I used.

Code: Select all

gparted /dev/sda


Again, my hard drive device is /dev/sda. But yours may be /dev/hda or something else. It is up to you to be sure you are using the appropriate drive. Delete your existing partitions. In gparted, I just create a new msdos partition table (in the Device menu) which will remove existing partitions. Create a new 200MB ext2 primary partition at the start of the disk. Then create an unformatted partition using the remainder of the disk. In my example, the two partition devices are /dev/sda1 and /dev/sda2. If your devices differ, be sure to use your devices in the commands below. Be sure to save your changes.

Now you must make a decision: to encrypt or not to encrypt. Code blocks that differ based on this decision are labeled. If you choose to encrypt, it is considered best practice to first fill the partition with randomness to defeat certain key recovery techniques. This step can take quite a long time. Please be patient. It is also your responsibility to research what encryption algorithms and key sizes are right for you. The following commands just use the defaults. Also, it is a good idea to remember your password.

With encryption:

Code: Select all

apt-get install cryptsetup
dd if=/dev/zero of=/dev/sda1 bs=1M
dd if=/dev/urandom of=/dev/sda2 bs=1M & sleep 5; while kill -USR1 ${!}; do sleep 60; done
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 sda2_crypt
VOLUME=/dev/mapper/sda2_crypt


Without encryption:

Code: Select all

VOLUME=/dev/sda2


I named my volume group volumes. Feel free to change it. You should also choose sizes that fit your needs. If you plan to suspend to RAM, you need a swap volume that is at least as large as the amount of RAM in your system. The -n option gives the volume name and the -L option the volume size. Use man lvcreate for more information.

Code: Select all

pvcreate $VOLUME
vgcreate volumes $VOLUME
lvcreate -n lmde -L 10G volumes
lvcreate -n swap -L 2G volumes
lvcreate -n home -L 50G volumes


If there is insufficient space you will get a message like the following:

Volume group "volumes" has insufficient free space (9984 extents): 12800 required.

Just rerun the command replacing the -L option with -l (lower-case L) and the number in the parenthesis (9984 in this case).

Example:

Code: Select all

lvcreate -n home -l 9984 volumes


You should now see your new logical volumes in /dev/volumes. They need to be formatted before they can be used.

Code: Select all

mkswap -L swap /dev/volumes/swap
swapon /dev/volumes/swap
mkfs -t ext2 -L boot /dev/sda1
mkfs -t ext4 -L root -j /dev/volumes/lmde
mkfs -t ext4 -L home -j /dev/volumes/home


Volume Population

Now it's time to install a system on those shiny new volumes. First, you must mount them somewhere on the file system.

Code: Select all

mount /dev/volumes/lmde /mnt
mkdir /mnt/boot /mnt/home
mount /dev/sda1 /mnt/boot
mount /dev/volumes/home /mnt/home


Then extract the Live DVD file system into /mnt.

Code: Select all

unsquashfs -f -d /mnt /live/image/casper/filesystem.squashfs


Now you need to update /mnt/etc/fstab so the new system will know where to mount the volumes. Open fstab with your favorite editor (gedit, vi, nano, etc.) and replace the entries with something like the following.

/mnt/etc/fstab

Code: Select all

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
LABEL=boot      /boot           ext2    defaults        0       2
/dev/volumes/lmde /             ext4    errors=remount-ro 0     1
/dev/volumes/home /home         ext4    defaults        0       2
/dev/volumes/swap none          swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto 0       0


If you chose to encrypt, edit /mnt/etc/crypttab. Lines starting with # are supposed to be ignored, but that wasn't my experience, so I recommend removing everything but the following line.

With encryption:
/mnt/etc/crypttab

Code: Select all

sda2_crypt      /dev/sda2       none    luks


Prepare Install for Booting

Prepare and chroot the new system. Then mount those special file systems.

Code: Select all

cp /etc/resolv.conf /mnt/etc/
mount --bind /dev /mnt/dev
chroot /mnt
mount -t sysfs none /sys
mount -t proc none /proc
mount -t devpts none /dev/pts


It's not a bad idea to change the prompt to remind you that this is a chroot.

Code: Select all

export PS1="(chroot) \$ "


Now remove all the Live DVD packages and update the package lists.

Code: Select all

apt-get purge 'live-*'
apt-get update


Then install the extra packages.

With encryption:

Code: Select all

apt-get install cryptsetup lvm2


Without encryption:

Code: Select all

apt-get install lvm2
update-rc.d -f lvm2 remove
update-rc.d lvm2 start 10 S . stop 10 0 6 .


If you make any changes to /etc/crypttab after installing cryptsetup, you will need to run update-initramfs -u to update the initial ramdisk image.

Grub needs to be installed to the MBR (unless you are using another boot manager).

Code: Select all

dpkg-reconfigure grub-pc


Accept the defaults except when asked to select the GRUB install device(s). For that, select /dev/sda (or whatever your device is named).

That should be enough to boot into the newly installed system. But you need to setup an account to make it usable. Replace <username> with your desired login name in the following commands.

Code: Select all

deluser --remove-home mint
adduser <username>
addgroup <username> sudo


Either set the root password:

Code: Select all

passwd root


Or disable the password (Ubuntu style):

Code: Select all

passwd -l root


Because the mint user was removed, GDM automatic login will be broken. Unless you want to see a blank screen with only the busy spinner when you boot, be sure to complete this step. Open /etc/gdm3/daemon.conf with vi or nano and replace

AutomaticLoginEnable=true

with

AutomaticLoginEnable=false

.

Cleanup and Restart

Theoretically, you should be able to reboot at this point, but it is a good idea to back out some first.

Code: Select all

umount /dev/pts
umount /proc
umount /sys
exit   # exits chroot
umount /mnt/dev
umount /mnt/home
umount /mnt/boot
umount /mnt
sync   # write all changes to disk


You can now safely reboot. Be sure to eject the DVD when prompted. If you chose to encrypt, you should be prompted for a password. Otherwise, you should get the familiar GDM login screen. Enter your username and password from above and you should be logged in.

I hope this helped. I'll try to watch this post for questions. Good luck!

[kwatson512]

@hashstat, Thanks for posting this!

I'm running Mint 10 right now, dual-booting with Windows 7. My Windows partition is encrypted, and my Mint /home directory is as well. I would like to switch from Mint 10 to Mint Debian, but I must encrypt at least the /home directory, and I need to preserve the Windows partition for work reasons. I'm comfortable in the command line, but have been known to bork systems in the past. Can you recommend a way (or a modification to your tutorial) to install LMDE with either an encrypted partition or encrypted /home, dual-booting with Windows?

[hashstat]

Thanks for the positive feedback kwatson512. I've used both the encrypted and unencrypted methods at work. I posted this howto both as a reminder to myself (because I forgot some things the last time ) and to help others out.

If you want to keep the setup you have but with Mint Debian instead of Mint 10, your work is half over (maybe more). Just boot into the LMDE Live DVD, skip the partition setup, and go straight to Volume Population. Okay... maybe not straight; you'll need to take a slight detour.

But it is hard to come up with that detour without more information. Can you post your /etc/fstab and /etc/crypttab and the output of 'sudo sfdisk -l' and 'sudo lvdisplay' (if you are using LVM).

I think it will be a matter of formatting (or just erasing) your old root partition and mounting your file systems in /mnt just as they are under Mint 10. Then unquash the LMDE image into /mnt, install any required packages, and use your old /etc/fstab and /etc/cryptab files in the new system.

I would recommend that you backup everything important before doing anything. And it would be a good idea to try things in a virtual machine first. That's what I did when writing this guide. I used VirtualBox to verify the procedure.

Anyway, if you post that additional information, I'll get back to you with more specifics.

[kwatson512]

I'm also running Win7 in a VM in VirtualBox, and I have a current Mint Debian VM also (but not encrypted). I will test this in a VM before wiping my primary partition.

Here are the pertinent configuration files.

/etc/fstab:

Code: Select all

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
# / was on /dev/sda5 during installation
UUID=ad184db2-b0e4-48cc-a653-773708d99e07 /               ext4    errors=remount-ro 0       1
# swap was on /dev/sda6 during installation
UUID=fd15169c-1c9a-4b6f-af70-2acd8585a10e none            swap    sw              0       0

sfdisk -l:

Code: Select all

Disk /dev/sda: 30401 cylinders, 255 heads, 63 sectors/track
Warning: extended partition does not start at a cylinder boundary.
DOS and Linux will interpret the contents differently.
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sda1   *      0+  12747   12748- 102398278+   7  HPFS/NTFS
/dev/sda2      12748+  30400   17653- 141797692    5  Extended
/dev/sda3          0       -       0          0    0  Empty
/dev/sda4          0       -       0          0    0  Empty
/dev/sda5      12748+  29678   16931- 135998226   83  Linux
/dev/sda6      29679+  30400     722-   5799433+  82  Linux swap / Solaris


I don't have a crypttab file. I have an encrypted /home directory, not the entire partition. And that's really all I need. So my /home directory includes a .Private directory, where all my data resides. If I lose my laptop, I don't care if people get access to the Mint filesystem - after all, it's a free open-source operating system. What I want to protect is my personal and work data.

[hashstat]

kwatson512,

Mint 10 is based on Ubuntu 10.10 and uses ecryptfs for encrypting /home. It looks like Debian testing and Ubuntu 10.10 both have ecryptfs-utils version 83 in the repositories. I'm not sure what else would be required to get /home encryption working flawlessly. I would try playing with a clean install of LMDE in a VM and see if you can replicate what is required if that is the way you want to go. Do some searching for ecryptfs encrypted home on Debian. And be sure to encrypt the swap partition as well.

You can use LUKS to encrypt /home as well and probably do something similar to Ubuntu to automatically mount the encrypted volume. It could even be a special file you create with dd. I think that is the way I would go. I may even look into this soon as full disk encryption is taxing my work laptop.

I'm afraid I can't be of more help. What you are after is a bit more advanced and something I have never done or looked into before. But I bet someone else has and created a thorough tutorial. Be sure to post a link back here when you figure it out.

Best of luck.

[jfjf]

@hashstat

thanks for the post, worked like a charm on my computer. Now running lmde 64bit with encrypted lvm.
Not having an encrypted lvm, was the one reason for me not installing LMDE.

Additionally I did an apt-get dist-upgrade while in chroot, so I would have the
latest kernel, libre-office ...

[Pliny]

I admit I'm new to linux.
I tried following the instructions for installing with encryption but got hung up on this line
dd if=/dev/urandom of=/dev/sda2 bs=1M & sleep 5; while kill -USR1 "$!"; do sleep 60; done
It didn't like the exclamation mark, am I doing something wrong?? I copied and pasted as is.

[panzer]

I would like to reinstall LMDE into my PC with encryption and your howto looks great.
But I have two questions:
1- Do I really need to fill the partition with randomness? You said it takes long time to do this (many hours...)?
-When I install Ubuntu and I choose to encrypt my home, it doesn't take hours to achieve this.

2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to
type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

Thanks for your answers!

[hashstat]

@Pliny

Bash is using the bang (exclamation mark) for history expansion. I modified the line in the howto to remove the quotes and include curly braces to ensure it is interpreted properly.

Code: Select all

dd if=/dev/urandom of=/dev/sda2 bs=1M & sleep 5; while kill -USR1 ${!}; do sleep 60; done

By the way, this command starts dd in the background and sends it the USR1 signal every minute until dd is done, causing dd to print its progress.


@panzer

It is important to fill the encrypted partition with pseudo-random data before use to defeat crypanalysis (or at least make it much harder). LUKS uses block-level encryption. I am assuming LUKS must encrypt the entire block without caring about what is actually on it. Filling the disk with randomness reduces the chance of an attacker guessing what the block contains. /dev/urandom is terribly slow (probably an overnight event). There may be other utilities that would work faster, but I would not recommend skipping this step.

Ubuntu uses ecryptfs to encrypt the home directory, which uses PAM to get your login credentials to unlock your encryption key allowing you to only type your password once. With LUKS full-disk encryption, you are asked your password before the real root file system is mounted and before the system is ready for you to log in. So, there isn't a way (that I know of) around entering two passwords. But don't worry, it doesn't take long to get used to it.

[panzer]

@hashstat

I didn't know ubuntu was using another method to encrypt.
So, is there a howto to encrypt my home directory in LMDE (if I do a complete reinstall) the same way as ubuntu?

Thanks

[jfjf]

2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to
type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

Just edit the /etc/gdm3/daemon.conf and set AutomaticLoginEnable=true
BUT it is also important to set AutomaticLogin=newuser
where newuser is your new user you created following the HowTo..

[hashstat]

@panzer

A quick search in the Mint forums on encrypting the home directory with ecryptfs didn't return anything useful. A Google search returned several results that should be helpful. I may do this on a laptop soon. I'll post something if I figure it out. Post back here if you find anything useful. Thanks.

[ccgg]

Hello Hashstat,

Brilliant HowTo ... I'd like to ask an 'overview' question concerning your use of LMDE's contained squashfs. I had thought that, as the live version assembles itself while starting up, that it configured itself to the machine it was running on ; that is, drivers selected, config(s) done, etc. So, not clear about this, if you use the vanilla, 'base' version of LMDE contained in the squashfs, that seems that it would not include config for the specific (current) machine - no ? I had thought that the reason for doing an 'intermediary install' as in the previous writeup for an encrypted, lvm2 LMDE installation was to include all/any local configuration - whereas your proposed method would seem to bypass such config.

Just asking, this is not a critique (it's an area of my ignorance, how could it be ?), I'm interested in clarifying this point. Am I missing something simple and obvious ?

Thanks again for the super writeup.

ccgg

[hashstat]

@ccgg,

This howto does skip some of the configuration that an installer would normally perform. It only does enough to get you up and running with LVM and encryption (optional) on the new system, which is something the current installer does not support. As far as I know, the setup steps I've skipped are configuring the keyboard, advanced network setup (with host name), and adding additional packages. I will claim ignorance if I've missed anything else as I haven't used the LMDE installer. I'm new to LMDE and based this howto on my experience with creating custom Ubuntu live CDs. Configuring the missed items is really simple and can mostly be done from the Control Panel. The hostname can be set by editing /etc/hostname.

I will not claim that I haven't missed something, but I believe all the basics are covered. If more experienced Debian/LMDE users would like to chime in, it would provide a more complete solution.

You could also try comparing the results of the installer to this method. Or even better, have a look at the installer code/scripts. I believe, however, that following this howto will get you a working system that is very close to one installed via the normal method.

Thanks for the post back. Enjoy LMDE. I know I am after Ubuntu turned down a path I don't agree with.

[ccgg]

hashstat :

Thanks for the response. I agree entirely with your feelings about Ubuntu and am also turning to LMDE, although for somewhat more pragmatic reasons. I've been grounded in a Debian system for the past 10 years or so, am entirely happy with it and have have acquired reasonable admin skills for its care & feeding. I've done lots of installations for friends, usually Ubuntu, until now having considered it 'beginner friendly' enough. In total it's been about ~100 installs. (My bit as a Linux 'Johnny Appleseed'.) Progressively, though, it's become a major time sink for me, fixing the endless cavalcade of bugs that Ubu has released and, worse, the bugs have caused enough people to give up on their shiny new Linux installs ... Unacceptable - and it seems as though it will continue to get worse.

So, back to technical issues : you are entirely correct about the surface config issues - language, keyboard, timezone, locale, etc. Those are easily enough taken care of on first login. What I was wondering, though, and this is where my blind spot is, is when the 'live' instance first comes up and does the underlying config for the system. That is, both the live system and your neat way of doing this, at some point shortly after unpacking 'filesystem.squashfs' must take a look at the current hardware and do basic config - kernel modules, creation of an /etc/fstab file, running udev, that kind of thing - on that level. The major subsystems should take care of themselves - X, these days will autoconfigure, as will HAL, if there, and udev but where does, e.g. alsa detection and configuration come in ? As said, this is a blind spot - obviously *every* live system does this *each* time it comes up but I'm wondering whether that is part of the live-* stuff and not part of the underlying system.

Thanks again for the attention - not to mention the terrific HowTo.

Best wishes,
ccgg

[michaelzap]

2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to
type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

Just edit the /etc/gdm3/daemon.conf and set AutomaticLoginEnable=true
BUT it is also important to set AutomaticLogin=newuser
where newuser is your new user you created following the HowTo..

Assuming you use the Gnome keyring, then I've found that it's also useful to delete those files (the ~/.gnome2/keyrings folder) and then when asked for a new keyring password (probably when you connect to wifi) enter a blank password. That keeps the keyring from popping up and bugging you after an automatic login. Since everything in your home directory or partition is encrypted anyway, this isn't a risky thing to do.

I just install to an encrypted partition the easy way (I use either a Debian or Crunchbang installer, which have encryption options, and then I add the Mint repos to sources.lst and do a dist-upgrade), but maybe I'll try it this way the next time.

[hashstat]

@ccgg

I understand your concerns. There really isn't much difference between Debian-based live CDs and a freshly installed system. A lot of things that used to need to be configured by hand are now auto detected/configured. That said, your concern prompted me to look at the installer package to see what differences there really are between my method and the official installer. You can look yourself by downloading the live-installer source package (enable source packages in the update manager, and do `apt-get source live-installer` in a terminal on the Live CD or an LMDE install). The steps below were taken from live-installer-2010.12.16.1/usr/lib/live-installer/installer.py, which is the file containing the model for the LMDE GTK-based installer, and are the steps the official installer performs to prepare a new system. Steps that are also in this howto are marked marked with a `y` while those I left for the user are left blank.

Code: Select all

[y] mount the media
[y] format the partitions as appropriate
[y] mount filesystems
[y] copy files
[y] chroot
[y] remove live user
[y] remove live-initramfs and live-installer packages
[y] add new user
[y] write /etc/fstab
[ ] write /etc/hosts and /etc/hostname
[y] reset /etc/gdm3/daemon.conf
[ ] set the locale
[ ] set the timezone
[ ] localize Firefox and Thunderbird
[ ] set the keyboard options
[y] write master boot record (grub)
[ ] run `dpkg --configure -a`
[y] umount filesystems


I've used the method in this howto to install LMDE on two laptops, a desktop, and multiple virtual machines. The laptops and desktop were all Dells, but each has vastly different hardware. All of these systems work great.

Now that I've looked at the installer, it looks like a trivial task to throw together a simple python script that could read a config file and invoke the installer script with the appropriate options. If only I had more free time!

Anyway, great questions ccgg. I don't think you have anything to worry about.

[ccgg]

hashstat :

Thanks for the clarification(s). I never doubted that you tested the procedure well but you've provided the conceptual 'missing link'. I, as well, were it not for time, would be interested in 'completing that circle' but I can't really believe, beyond the immediate future, that the Mint devs won't simply adapt the Debian installer. It's endlessly brandable and configurable and would eliminate the need for clever, elegant and nifty efforts - like your own. I suppose that it was time & resource constraints that led to the writing of the current LMDE installer, but I can't believe that canny and capable devs, like the people here, won't simply leverage and take advantage of the greater capabilities of the Debian installer.

In the event, thanks again ! I will use your recipe - or a slight variant, for my installations - until an improved installer appears.

Best wishes,
ccgg

[bitu]

Tnx for the manual! I installed sucessfully after some faults.

At least I got a problem with updating with the update manager and got the LMDE updates message "Fix Broken Packages". I am familiar with this on everz nwe installation of Version 9. The Solution:
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

That will need much time and some user interactions!

I ask myself and the experts if it is not posible to avoid this annoying bug in change the line
apt-get purge 'live-*'
apt-get update

by the lines

apt-get purge 'live-*'
apt-get update && apt-get upgrade && apt-get dist-upgrade

Because my installation and update with the given line above was successful at least I cannot try it without beginning from start - I do not like to. So I hope the experts might check this idea.

BTW I could not shutdown regularily - it hangs on the "clear swap" step or something like that. I had to shut it down bz the power switch, but it restarted properly anyway.

Regards BB

[bitu]

Sorry, I forgt to mention that I installed the mintdesktop after hat apt/get sequence>
apt install mintdesktop
So I cannot tell for sure if that line or the other was rsponsible for the repair.

Regards BB