[Tutorial] Installation with custom encryption setup

[Laurent85]

Backup you data before proceeding with operating system installation. Cloning your hard disk beforehand to an external drive is recommended.

Use this guide to customize your encryption setup. This guide addresses encryption setup needs not offered by Linux Mint installer.

A non exhaustive list of possibilities, each volume in the list being encrypted:

• root, home and swap
• home and swap (root not encrypted)
• root system #1, root system #2, shared data storage, shared swap, enabling dual boot encryption
• root system #1, root system #2, shared home, shared data, shared swap
• write your own here

The method is based on LVM over LUKS, one example is Linux Mint installer full disk encryption which uses a LUKS encrypted partition to host logical volumes root and swap. LVM over LUKS is also applicable on a limited area of the disk. One of the advantages of LVM over LUKS is the one key unlocks all feature. Managing logical volumes is transparent thereafter. When creating, resizing and removing logical volumes encryption is always on, you don't need to edit or change encryption settings, that's really handy.

This guide details a triple boot setup. In addition to Windows OS already installed on the computer, two versions of Linux Mint 64 bit fully encrypted with shared home and swap.

Notice the following procedure is a case scenario to illustrate the possibilities, this setup is not a recommendation in regards of the partitioning.

Requirements:

• two encrypted operating systems need two seperate unencrypted boot partitions, one for each.
• a large partition that will host LVM over LUKS
• the Linux Mint installation flash drive

The procedure comprises three major steps:

1. preparing the container and the logical volumes
2. installing Linux Mint via the installer
3. editing the encryption settings for the boot process to work properly

Proceeding with installation of operating system #1.

Step 1 - Preparing the container and the logical volumes:

Suppose a 1TB hard disk, first 4 partitions sda1 to sda4 allocated to EFI and Windows, 600 GB of unallocated free space. Booting LM 18 Cinnamon Live session and launching gparted to create the following partitions:

• sda5, 256MB ext4 for /boot system #1
• sda6, 256MB ext4 for /boot system #2
• sda7, 500GB unformatted for LUKS
• 100 GB of unallocated free disk space still available for other usages

Installing LUKS on sda7 and unlocking, from a terminal:

Code: Select all

sudo cryptsetup luksFormat /dev/sda7
sudo cryptsetup luksOpen /dev/sda7 luks1

Making LUKS block device luks1 an LVM primary volume:

Code: Select all

sudo pvcreate /dev/mapper/luks1

Installing LVM graphical user interface tool to create the volume group and logical volumes.

Code: Select all

apt update
apt install system-config-lvm

To create the volume group and logical volumes, launching the Logical Volume Management tool from the menu

Creating new Volume Group vg1:

img1.png

Creating new Logical Volumes:

• root1, 20 GB
• root2, 20 GB
• swap, 4 GB
• home, 300 GB
• leaving 156 GB of unallocated space for future logical volume usages.

img2.jpg

img3.png

Step 2 - Installing Linux Mint 18 Cinnamon via the installer

Launching the installer, select Installation type Something else, assign the following partitions and logical volumes:

• available ESP (EFI System Partition) is assigned automatically as type efi by the installer, do not edit.
• /dev/sda5, /boot, ext4, format
• /dev/mapper/vg1-root1, / (root), ext4, format
• /dev/mapper/vg1-swap, swap area
• /dev/mapper/vg1-home, /home, ext4, format
• Device for boot loader installation, select /dev/sda (selecting the ESP partition id also works)

Proceeding with installation, once the installation completes do not reboot, press the Continue Testing button.

Step 3 - Editing encryption settings and finalizing

Preparing chroot environment for freshly installed Linux Mint 18 Cinnamon

Mounting root1 logical volume:

Code: Select all

sudo mount /dev/mapper/vg1-root1 /mnt

Mounting boot partition dedicated to Linux Mint 18 Cinnamon:

Code: Select all

sudo mount /dev/sda5 /mnt/boot

Mounting special devices:

Code: Select all

sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount -t proc proc /proc
sudo chroot /mnt mount -t sysfs sysfs /sys
sudo chroot /mnt mount -t devpts devpts /dev/pts

Creating crypttab file:

Code: Select all

gksu xed /mnt/etc/crypttab

With the following content:

Code: Select all

# <target name>	<source device> 	<key file> 	<options>
luks1 			/dev/sda7			none 		luks

Updating initrd, you can ignore the warning message:

Code: Select all

sudo chroot /mnt update-initramfs -u

Done. Upon reboot grub should offer to boot into Windows and Linux Mint 18 Cinnamon. I am assuming the computer EFI firmware is not defective. If grub doesn't show up the problem is not related to the procedure but to the EFI firmware implementation found on some computers designed to boot Windows only.

Proceeding with installation of operating system #2.

Installing Linux Mint 18 Mate 64 bit, booting the Live session.

Step 1 - Most done in previous installation.

Unlocking LUKS block device luks1:

Code: Select all

sudo cryptsetup luksOpen /dev/sda7 luks1

Step 2 - Installing Linux Mint 18 Mate via the installer

Assigning partitions and logical volumes for system #2:

• available ESP (EFI System Partition) is assigned automatically as type efi by the installer, do not edit
• /dev/sda6, /boot, ext4, format
• /dev/mapper/vg1-root2, / (root), ext4, format
• /dev/mapper/vg1-swap, swap area
• /dev/mapper/vg1-home, /home, ext4, do not select format
• Device for boot loader installation, select /dev/sda (selecting the ESP partition id also works)

Proceeding with installation, Once installation completes do not reboot, press the Continue Testing button.


Step 3 - Editing encryption settings and finalizing

Preparing chroot environment for freshly installed Linux Mint 18 Mate.

Mounting root2 volume:

Code: Select all

sudo mount /dev/mapper/vg1-root2 /mnt

Mounting boot partition dedicated to Linux Mint 18 Mate:

Code: Select all

sudo mount /dev/sda6 /mnt/boot

Mounting special devices:

Code: Select all

sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount -t proc proc /proc
sudo chroot /mnt mount -t sysfs sysfs /sys
sudo chroot /mnt mount -t devpts devpts /dev/pts

Creating the crypttab file:

Code: Select all

gksu xed /mnt/etc/crypttab

With the following content, save and exit:

Code: Select all

# <target name>	<source device> 	<key file> 	<options>
luks1 			/dev/sda7			none 		luks

Updating initrd, you can ignore the warning message:

Code: Select all

sudo chroot /mnt update-initramfs -u

Done, upon reboot grub menu should list three operating systems available for booting

[donalduck]

interesting

is this setup also good for other mint flavor, for example mint 17.3 ?

BTW I think there is a typo

Code: Select all

gksu xed /mnt/etc/crypttab

should be

Code: Select all

gksu xed /etc/crypttab

[Laurent85]

is this setup also good for other mint flavor, for example mint 17.3 ?

Yes, should work for any Linux Mint release 64 bit installed in EFI mode. Should also work in Legacy mode and for 32 bit releases, step 2 would sightly differ since not installing in EFI mode.

BTW I think there is a typo

Code: Select all

gksu xed /mnt/etc/crypttab

should be

Code: Select all

gksu xed /etc/crypttab

Nope, you need to set the encryption settings for the newly installed system mounted under /mnt, editing /etc/crypttab would only change the settings for the Live session, it's useless since upon reboot every change made regarding the Live session is lost.

[donalduck]

ah ok ok, thanks for the explanations.