Installing Mint LMDE with whole disk encryption (LUKS+LVM)

Write tutorials and howtos in here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Do not start a support topic here please. Before you post please read this

Installing Mint LMDE with whole disk encryption (LUKS+LVM)

Postby CyL on Wed Jan 05, 2011 8:47 pm

1. Introduction

This guide is intended at aiding users that want to install Linux LMDE on their system with whole disk encryption, that is, everything on the system is encrypted on-the-fly and transparently to the user, except for a small boot partition that will be used to start everything else. As a side bebefit, we will also install Mint on top of LVM volumes.

It is assumed that the user following this guide is acquainted with the command line, and with the concepts involving the procedures outlined here. For you to be able to perform the guide you need the computer you will be working on with an Internet connection, the installation media, and some sort of removable media (e.g. usbstick, external hard disk, etc, big enough to hold a Mint installation) that is recognized by the system as a regular disk (e.g. sd*, hd*, also note that this is only due to limitations on the installer).

WARNING: beginners, be aware that following this guide blindly will irrevocably destroy all your data!

Have said that, one can never stress too much how important is to have all your important data backed up properly before following procedures such as the one described herein.



2. Preparing the disks

First you need to prepare your disks to be encrypted, and although this step is a very tedious one, it is crucial to have your disk properly sanitized before you proceed, or you risk having residual data disclosed.

To satinitize the disk you will be installing Mint LMDE into (assumed as sda in this guide), first boot your Mint installation media, and open up a terminal (Menu -> Terminal), and type the following to become root:
Code: Select all
sudo su


You can sanitize your disk by a variety of methods, I've personally used plain old dd, but I've also heard of a good tool called shred that is also included in Mint's installation disk. To wipe everything with dd, run the following a couple of times (the more passes you make, the more securely your hard disk will be sanitized):
Code: Select all
dd if=/dev/urandom of=/dev/sda& pid=$!


This will get dd running on the backgroung, you will notice some activity on the disk. This will take a longe time that depends primarily on the size of your disk (it took me one and a half day per pass on a 250 GB disk). You can see dd status by issuing the following command to the terminal:
Code: Select all
kill -USR1 $!


After sanitizing your disk you should create two partitions:

    sda1: primary, 512 MB in size, beginning of the disk, bootable flag set, type Linux
    sda2: primary, occupying the rest of the disk, type Linux

One great tool for creating the partitions is cfdisk, which comes preinstalled with Mint. It is very intuitive and ease to use, you choose the command to be performed with 'Enter', and navigate between the commands and partitions with the arrow keys; I'm sure you will find your way :) If cfdisk complains about an unknown partition table type, choose to start with a zero table. Don't forget to write the changes to the disk after editing the partition table. You can start cfdisk with:
Code: Select all
cfdisk /dev/sda




3. Getting an intermediate Mint install

Next, you should install Mint to the removable media you have handy (assumed here as being sdb). Before initiating the installer you should use cfdisk once more to create one single big partition on the device (named sdb1). Create it primary, occupying the whole disk, bootable flag set, type Linux:
Code: Select all
cfdisk /dev/sdb


Use the regular Mint installer to install to it on the removable device as you would regularly install it onto your hard disk. Once asked where to install the grub boot loader, choose /dev/sdb. Don't reboot the computer once the install is finished.

After finishing the procedure outlined here the device can be used as a persistent Mint live media, like a recovery media for example, or you can just delete this intermediate Mint install.



4. Setting up LUKS encryption and Logical Volume Management

Before proceeding, we must install the relevant utilities on the installation media.
Code: Select all
aptitude update
aptitude install cryptsetup lvm2


Next, we set up encryption on the big partition we created earlier on the target computer disk. You can use different ciphers, modes of encryption and/or key-sizes, but these ones are pretty good defaults. Also, be sure to choose a sufficiently long passphrase, preferably with upper case, lower case, special symbols and punctuation. Keep in mind that if you forget your passphrase you will have to crack it or your data will be lost forever, so choose a passphrase that you can remember.
Code: Select all
cryptsetup luksFormat --cipher aes-xts-plain --key-size 512 /dev/sda2


After creating the vault, we must map it through Linux kernel to a virtual block device. This is accomplished by openning the LUKS device:
Code: Select all
cryptsetup luksOpen /dev/sda2 sda2_crypt


Next we will set up LVM. First you need to instruct LVM which devices you will be using as physical volumes:
Code: Select all
pvcreate /dev/mapper/sda2_crypt


Now create the volume group itself:
Code: Select all
vgcreate vg /dev/mapper/sda2_crypt


Now we can add the logical volumes to the setup. The logical volumes are the containers that will hold the file systems, so you can imagine them as being more or less like standard partitions, but with a lot more flexibility. The partitioning scheme is a subject of much debate, and I won't get into it in this guide. The scheme shown here is just for informational purposes, and shouldn't be regarded as being accurate in any manner. If you want further advice I'd suggest the Debian Installer Guide (http://www.debian.org/releases/stable/i386/apc.html.en) as a great resource on this subject (and many others).

To illustrate the procedure in this guide, we will be setting up five different volumes, for the following mount points: swap, /, /var, /usr and /home. Note that there is one further mount point that we will be using (namely /boot), but that will reside on it's own partition. You can adapt to your own needs (note the lowercase 'l' in the last command, this is to illustrate some of the possible syntax the command accepts):
Code: Select all
lvcreate -n swap -L 1G vg
lvcreate -n root -L 1G vg
lvcreate -n usr -L 3G vg
lvcreate -n var -L 2G vg
lvcreate -n home -l 100%FREE vg


Next, we create the needed file systems:
Code: Select all
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-usr
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap




5. Copying the intermediate Linux Mint install to it's final location

We had to make an intermediate Mint install earlier because the default installer won't recognize the LVM volumes we had just set up. So we will use this install as the source to our final Linux Mint install. First we set up some mount points:
Code: Select all
cd /mnt
mkdir target source


Now we mount the root target and the source file systems:
Code: Select all
mount -t ext4 /dev/mapper/vg-root /mnt/target
mount -t ext4 /dev/sdb1 /mnt/source


Now we can create the remaining mount points:
Code: Select all
cd target
mkdir usr var home boot


And mount the rest of the file systems on their respective mount points:
Code: Select all
mount -t ext2 /dev/sda1 boot
mount -t ext4 /dev/mapper/vg-usr usr
mount -t ext4 /dev/mapper/vg-var var
mount -t ext4 /dev/mapper/vg-home home


Now we can copy everything from the source intermediate Mint install to it's final destination:
Code: Select all
cp -av /mnt/source/* ./




6. Fixing the target system

If we weren't using LUKS and LVM this would be an almost working setup. But since we are using these, we must make the target system aware of it, and thus we should fix a couple of thinks.

Since we're going to chroot on the target system soon, it is worth enabling swap space first:
Code: Select all
swapon /dev/mapper/vg-swap


First we need to mount some aditional file systems to be able to properly use our target system once we chroot into it:
Code: Select all
mount --bind /dev dev


And we also need to have the domain name resolver working on the new system, so we copy the resolv.conf file to the target system:
Code: Select all
cp /etc/resolv.conf etc


Next we can chroot into our fresh Mint install:
Code: Select all
chroot /mnt/target /bin/bash


We just export some variable to remeber us that we are in a chroot'ed environment:
Code: Select all
export PS1="[chroot] $PS1"


And mount the remaining virtual file systems:
Code: Select all
mount -t devpts devpts /dev/pts
mount -t tmpfs tmpfs /dev/shm
mount -t proc proc /proc
mount -t sysfs sysfs /sys


Now we install LUKS and LVM on the target system:
Code: Select all
aptitude update
aptitude install cryptsetup lvm2


Nope, we haven't taken this step yet. Earlier we installed LUKS and LVM on the live installation media, now we're installing it on the target system. You remember that, right? ;)

After installing the tools, we need to set some configuration files up, so that the system know how to properly boot once we finish fixing it. First, create the map for the encrypted partition on /etc/crypttab:
Code: Select all
echo 'sda2_crypt /dev/sda2 none luks,tries=3' >> /etc/crypttab


And than we need to recreate /etc/fstab to reflect the layout we have used through this guide. To edit it you can issue on the command line:
Code: Select all
nano /etc/fstab


For the setup we have used here, the following fstab is a valid one. Use it as a template, and adapt it to your own needs. Be sure to remove the entries that were added by Mint installer when we made the intermediate install:
Code: Select all
# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system>      <mount point>   <type>      <options>         <dump>   <pass>

/dev/sda1      /boot      ext2      defaults         0   2
/dev/scd0      /media/cdrom0   udf,iso9660   user,noauto         0   0

/dev/mapper/vg-root   /      ext4      defaults,errors=remount-ro   0   1
/dev/mapper/vg-usr   /usr      ext4      defaults         0   2
/dev/mapper/vg-var   /var      ext4      defaults         0   2
/dev/mapper/vg-home   /home      ext4      defaults         0   2
/dev/mapper/vg-swap   none      swap      sw            0   0

proc         /proc      proc      defaults         0   0


Nex we need to add configure your initramfs-tool, so that it can include the propper modules every time your initramfs is (re)generated. Edit the file with:
Code: Select all
nano /etc/initramfs-tools/modules


Make it look like the following:
Code: Select all
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod

dm-crypt
aes-x86_64   # if you're installing on a 32-bit architecture, set to aes-i586
xts
sha256_generic
sha512_generic
ahci      # needed because of my sata controller, set yours accordingly


Regenerate your initramfs:
Code: Select all
update-initramfs -uv


Make sure you will get the right options at the grub menu:
Code: Select all
update-grub


And install grub to the MBR of your hard disk:
Code: Select all
grub-install /dev/sda


Having finished this, lets prepare our computer to reboot:
Code: Select all
exit
umount dev/pts
umount dev/shm
umount dev
umount usr
umount var
umount home
umount boot
umount target
swapoff /dev/mapper/vg-swap
vgchange -a n


Now cross your fingers, remove the installation media, the removable device on which you did the intermediate install and reboot your system. When your system starts, it should ask you for the LUKS password you had set up earlier. Type it after the following prompt, nothing should be echoed back to the screen, this is normal behaviour:
Code: Select all
Enter passphrase:


Log into the user account you created when doing the intermediate install, and congratulations, you're done.
Last edited by CyL on Thu Jan 06, 2011 4:52 pm, edited 5 times in total.
CyL
Level 1
Level 1
 
Posts: 5
Joined: Wed Jan 05, 2011 1:03 pm

Linux Mint is funded by ads and donations.
 

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby CyL on Wed Jan 05, 2011 8:48 pm

Reserved space.
CyL
Level 1
Level 1
 
Posts: 5
Joined: Wed Jan 05, 2011 1:03 pm

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby hashstat on Sat Apr 23, 2011 6:30 am

I like how we were thinking along the same lines. My method is very similar but doesn't require the intermediate installation; one already exists on the LMDE DVD.

Cheers.
hashstat
Level 1
Level 1
 
Posts: 10
Joined: Thu Apr 21, 2011 10:17 pm

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby pwyll on Fri Sep 30, 2011 9:33 pm

Hi CyL, thanks very much for your guide - it definitely worked the best out of the three I've tried so far. I do have a couple of questions however...

1. In step 6, the "mount the remaining virtual file systems" section, I got an error trying to mount tmpfs, and was not able to do so.
2. In the final unmounting steps, when I tried "umount target" I got an error message saying target didn't exist.

Changes I made to your instructions, for my own circumstances:

1. I only created one volume inside the encrypted partition, and assigned it to root - so the only "lvcreate" I did in step 4 was for "root".
2. before both "aptitude update" steps, I updated /etc/apt/sources.list to reflect the new repositories for update pack 3.

regardless, I was able to finish the install and boot into my new encrypted system.

However, now the problem I'm having is that changes to grub.cfg seem to be ignored by the system. when I do "sudo update-grub", i get:

Code: Select all
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.0.0-1-amd64
Found initrd image: /boot/initrd.img-3.0.0-1-amd64
/usr/sbin/grub-probe: error: no such disk.
/usr/sbin/grub-probe: error: no such disk.
done


...but, grub.cfg is generated. However, it's then ignored - the only entries in the new grub.cfg are for the 3.0.0 kernel that update pack 3 installs, BUT upon boot, the only menu items are for the older 2.6.29 kernel! Can you tell me why this is, and where grub is looking?

furthermore, "sudo grub-install /dev/sda" fails with:

Code: Select all
/usr/sbin/grub-probe: error: no such disk.
Auto-detection of a filesystem of /dev/mapper/vg-root failed.
Try with --recheck.
If the problem persists please report this together with the output of "/usr/sbin/grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub" to <bug-grub@gnu.org>


...and strangely enough I see no core.img in /boot/grub . Do you have an idea as to what's going on?

Many thanks again for your guide.
pwyll
Level 1
Level 1
 
Posts: 4
Joined: Fri Sep 30, 2011 9:16 pm

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby pwyll on Sat Oct 01, 2011 6:08 pm

Okay, I believe I figured it out. I had added "discard" to the mount options in /etc/fstab for both partitions (I'm doing this on an ssd) but ext2 doesn't support "discard". So, during boot /dev/sda1 wasn't getting mounted at /boot, and linux adds a new /boot directory instead, which is the only one that can be seen after booting. Glad I could solve it!

Here's a more detailed list of comments on the original guide, now that I am at a point where everything appears to work correctly:

0. I skip the overwriting with /dev/urandom as I'll be filling the disk with data anyway after install.
1. At the beginning of step 4, I edit /etc/apt/sources.list to conform with the new recommendations for LMDE udpate pack 3: http://blog.linuxmint.com/?p=1836
2. I use the defaults for luksFormat rather than the --cipher and --key-size options listed.
3. the only lvcreate I do is "lvcreate -n root -l 100%FREE vg" asI'm just mounting the entire encrypted partition as root. I get a warning that "/dev/vg/root" should have been created by udev but it was not found" but the command completes regardless.
4. similarly, I only run the first two "mkfs" lines listed, as I haven't created any other volumes.
5. in /mnt/target, I make a subdir for boot but not any others. and, within /mnt/target, I mount /dev/sda1 at boot, but no others.
7. in step 6, I skip the "swapon /dev/mapper/vg-swap" part.
8. ERROR: the "mount -t tmpfs tmpfs /dev/shm" line produces an error "mount: too many levels of symbolic links" and the operation fails. I proceed anyway.
9. Again in the chrooted envrinoment, I edit /etc/apt/sources.list to conform with the new recommendations for LMDE udpate pack 3.
10. when editing fstab, I remove all but three lines for /boot, /, and proc. I add "noatime" to the options for /boot, and "noatime,discard" to the options for / .
11. I keep all recommended modules in /etc/initramfs-tools/modules , though I suspect I don't need all. ONE IMPORTANT THING! I get errors on boot if I don't remove the comments from the aes-x86_64 and ahci module lines.
12. During the unmounting steps, I skip the dev/shm part as I wasn't able to successfully mount it originally. I also skip umounting usr, var, home, and turning swap off as I never mounted them in the first place.
13. ERROR: the "umount target" command fails with "umount: target: not found". At this stage of the install I'm still in the /mnt/target directory; if I do cd .. first and then try unmounting, I get "device is busy" and another failure. lsof and fuser don't give me info I understand, about squashfs filesystems and stale NFS handles. So, I skip this and continue.
14. ERROR: the "vgchange -a n" command fails with "can't deactivate volume group".


Hopefully this is helpful - cheers. I'm happy with my new system, thanks again for the howto.
pwyll
Level 1
Level 1
 
Posts: 4
Joined: Fri Sep 30, 2011 9:16 pm

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby UnrealMiniMe on Wed Oct 19, 2011 12:34 pm

My experience mostly mirrors pwyll's (except for the happy ending):
  • I got the "too many levels of symbolic links" error. I decided to fix it by copying /var/run/shm to /mnt/var/run/ before chrooting, though.
  • I also had to remove the comments from the /etc/initramfs-tools/modules lines.
  • I also had problems unmounting a few things, and lsof/fuser weren't much help. In that end, I did a few syncs, waited around, did a few syncs, kept getting errors...and said, "screw it." I used umount -l and rebooted. ;)

Unfortunately, I ultimately get the same results with this guide as I do with hashstat's (viewtopic.php?f=141&t=71159&start=0&hilit=encrypt*): The boot process looks for my LVM volume group before trying to unlock my drive, so it can't find my volumes. Unless I add some extra steps, the boot scripts never even try to decrypt my drive. If I do add some extra steps (such as creating a /etc/initramfs-tools/conf.d/cryptroot file), the boot routine unlocks my drive only after failing to find the LVM volumes.

I created a thread about it here: viewtopic.php?f=189&t=83763
Hopefully someone will be able to figure out what's wrong. Otherwise, your success with this guide may depend on your system.
UnrealMiniMe
Level 1
Level 1
 
Posts: 10
Joined: Wed Oct 19, 2011 7:23 am

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby mintybits on Tue Nov 27, 2012 9:13 am

I just tried this on my laptop's Mint 13 system. I got it working. :)

I did some extra things , tho.

1) I did not refer to the encrypted partition by simple number (/dev/sdaN) but instead by UUID (/dev/disk/by-uuid/...). This is very important if you ever delete other partitions because the simple number N may change. This will then break your boot process.

2) I edited "/etc/crypttab" to include the mount details, eg:
Code: Select all
# <target name>   <source device>      <key file>   <options>
systemCrypt        /dev/disk/by-uuid/...      none    luks


3) I added a kernal command to "/etc/default/grub":
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/...:systemCrypt"

4) After mounting the new root and boot partitions and editing fstab I chroot'ed into the new root and ran:
# update-initramfs -u
# dpkg-reconfigure-grub-pc

Then rebooted.
If you see an eclectic error message like "evms_activate is not available" it probably means the encrypted partition cannot be located. Check you've got the UUIDs right. The UUID is the one for the partition that you see when you run "sudo blkid".
mintybits
Level 5
Level 5
 
Posts: 827
Joined: Fri Jan 27, 2012 5:09 pm

Re: Installing Mint LMDE with whole disk encryption (LUKS+LV

Postby Pepas on Tue Nov 27, 2012 12:14 pm

1. The cleaner way of using UUIDs is to refer to the partition by UUID=... instead of /dev/disk/by-uuid/...
2. You should not need to edit /etc/crypttab because that happens automatically when you use cryptsetup.
3. I'm intrigued by you adding a kernal option in /etc/default/grub, because that should not be necessary, initrd takes care of this automatically.
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Linux Mint is funded by ads and donations.
 

Return to Tutorials / Howtos

Who is online

Users browsing this forum: bulsatar and 11 guests