This guide is intended at aiding users that want to install Linux LMDE on their system with whole disk encryption, that is, everything on the system is encrypted on-the-fly and transparently to the user, except for a small boot partition that will be used to start everything else. As a side bebefit, we will also install Mint on top of LVM volumes.
It is assumed that the user following this guide is acquainted with the command line, and with the concepts involving the procedures outlined here. For you to be able to perform the guide you need the computer you will be working on with an Internet connection, the installation media, and some sort of removable media (e.g. usbstick, external hard disk, etc, big enough to hold a Mint installation) that is recognized by the system as a regular disk (e.g. sd*, hd*, also note that this is only due to limitations on the installer).
WARNING: beginners, be aware that following this guide blindly will irrevocably destroy all your data!
Have said that, one can never stress too much how important is to have all your important data backed up properly before following procedures such as the one described herein.
2. Preparing the disks
First you need to prepare your disks to be encrypted, and although this step is a very tedious one, it is crucial to have your disk properly sanitized before you proceed, or you risk having residual data disclosed.
To satinitize the disk you will be installing Mint LMDE into (assumed as sda in this guide), first boot your Mint installation media, and open up a terminal (Menu -> Terminal), and type the following to become root:
Code: Select all
sudo su
Code: Select all
dd if=/dev/urandom of=/dev/sda& pid=$!
Code: Select all
kill -USR1 $!
- sda1: primary, 512 MB in size, beginning of the disk, bootable flag set, type Linux
sda2: primary, occupying the rest of the disk, type Linux
Code: Select all
cfdisk /dev/sda
3. Getting an intermediate Mint install
Next, you should install Mint to the removable media you have handy (assumed here as being sdb). Before initiating the installer you should use cfdisk once more to create one single big partition on the device (named sdb1). Create it primary, occupying the whole disk, bootable flag set, type Linux:
Code: Select all
cfdisk /dev/sdb
After finishing the procedure outlined here the device can be used as a persistent Mint live media, like a recovery media for example, or you can just delete this intermediate Mint install.
4. Setting up LUKS encryption and Logical Volume Management
Before proceeding, we must install the relevant utilities on the installation media.
Code: Select all
aptitude update
aptitude install cryptsetup lvm2
Code: Select all
cryptsetup luksFormat --cipher aes-xts-plain --key-size 512 /dev/sda2
Code: Select all
cryptsetup luksOpen /dev/sda2 sda2_crypt
Code: Select all
pvcreate /dev/mapper/sda2_crypt
Code: Select all
vgcreate vg /dev/mapper/sda2_crypt
To illustrate the procedure in this guide, we will be setting up five different volumes, for the following mount points: swap, /, /var, /usr and /home. Note that there is one further mount point that we will be using (namely /boot), but that will reside on it's own partition. You can adapt to your own needs (note the lowercase 'l' in the last command, this is to illustrate some of the possible syntax the command accepts):
Code: Select all
lvcreate -n swap -L 1G vg
lvcreate -n root -L 1G vg
lvcreate -n usr -L 3G vg
lvcreate -n var -L 2G vg
lvcreate -n home -l 100%FREE vg
Code: Select all
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-usr
mkfs.ext4 /dev/mapper/vg-var
mkfs.ext4 /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap
5. Copying the intermediate Linux Mint install to it's final location
We had to make an intermediate Mint install earlier because the default installer won't recognize the LVM volumes we had just set up. So we will use this install as the source to our final Linux Mint install. First we set up some mount points:
Code: Select all
cd /mnt
mkdir target source
Code: Select all
mount -t ext4 /dev/mapper/vg-root /mnt/target
mount -t ext4 /dev/sdb1 /mnt/source
Code: Select all
cd target
mkdir usr var home boot
Code: Select all
mount -t ext2 /dev/sda1 boot
mount -t ext4 /dev/mapper/vg-usr usr
mount -t ext4 /dev/mapper/vg-var var
mount -t ext4 /dev/mapper/vg-home home
Code: Select all
cp -av /mnt/source/* ./
6. Fixing the target system
If we weren't using LUKS and LVM this would be an almost working setup. But since we are using these, we must make the target system aware of it, and thus we should fix a couple of thinks.
Since we're going to chroot on the target system soon, it is worth enabling swap space first:
Code: Select all
swapon /dev/mapper/vg-swap
Code: Select all
mount --bind /dev dev
Code: Select all
cp /etc/resolv.conf etc
Code: Select all
chroot /mnt/target /bin/bash
Code: Select all
export PS1="[chroot] $PS1"
Code: Select all
mount -t devpts devpts /dev/pts
mount -t tmpfs tmpfs /dev/shm
mount -t proc proc /proc
mount -t sysfs sysfs /sys
Code: Select all
aptitude update
aptitude install cryptsetup lvm2
After installing the tools, we need to set some configuration files up, so that the system know how to properly boot once we finish fixing it. First, create the map for the encrypted partition on /etc/crypttab:
Code: Select all
echo 'sda2_crypt /dev/sda2 none luks,tries=3' >> /etc/crypttab
Code: Select all
nano /etc/fstab
Code: Select all
# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sda1 /boot ext2 defaults 0 2
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/mapper/vg-root / ext4 defaults,errors=remount-ro 0 1
/dev/mapper/vg-usr /usr ext4 defaults 0 2
/dev/mapper/vg-var /var ext4 defaults 0 2
/dev/mapper/vg-home /home ext4 defaults 0 2
/dev/mapper/vg-swap none swap sw 0 0
proc /proc proc defaults 0 0
Code: Select all
nano /etc/initramfs-tools/modules
Code: Select all
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
dm-crypt
aes-x86_64 # if you're installing on a 32-bit architecture, set to aes-i586
xts
sha256_generic
sha512_generic
ahci # needed because of my sata controller, set yours accordingly
Code: Select all
update-initramfs -uv
Code: Select all
update-grub
Code: Select all
grub-install /dev/sda
Code: Select all
exit
umount dev/pts
umount dev/shm
umount dev
umount usr
umount var
umount home
umount boot
umount target
swapoff /dev/mapper/vg-swap
vgchange -a n
Code: Select all
Enter passphrase: