Robert A. Uhl

How to install Linux Mint on an encrypted system

by Robert A. Uhl in  tech  ,

How to install Linux Mint on an encrypted volume

One of the few things I miss about Fedora when using Ubuntu and related GNU/Linux distributions is the ease of setting up fairly complex disk partitioning schemes. I’m a big believer in disk mirroring (to protect against hard drive failure) and in encryption (to protect against data loss due to hardware theft), and Ubuntu requires use of an alternate, text-based installer while Linux Mint doesn’t even do that much.

Fortunately, this is Linux, which means I have all the tools I need to get this to work. Many thanks to this guide from 2008, which provided the base instructions.

Note that I do not set up software RAID (mirroring) in this case, as these instructions are for a laptop. If you want mirroring, my advice is to build two partitions on each mirror, one for /boot and one for the mirror volume, then build an encrypted volume atop the mirrored volume; add that encrypted volume to a volume group; and finally build logical volumes in that volume group.

A note about naming: throughout these instructions I refer to rootvg as the root volume group. This is fine for small installations; however, if you ever move disks between computers that also have their own group called rootvg, this causes trouble (generally, failure to recognise the new physical and logical volumes). For that reason, in practice I usually name my volume group with some unique name, perhaps related to the hostname.

  1. Boot from Linux Mint Katya DVD

  2. Open the terminal from the menu (lower left-hand corner). Install the Logical Volume Manager with sudo apt-get install lvm2.

  3. If this drive has previously held unencrypted data:

    1. Open a web browser and visit some site to generate some entropy; install and play some games too.
    2. sudo dd if=/dev/urandom of=/dev/sda bs=1M & sleep 5; while sudo pkill -USR1 dd; do sleep 60; done (make sure to continue web browsing and playing games — when unattended, leave some music or videos playing)

  4. Format the hard drive: sudo fdisk /dev/sda. Create a 512M primary partition 1 for /boot (no BIOS that I’m aware of supports booting from an encrypted disk, so your boot partition must be plaintext) and then an extended partition 2 for the rest of the disk, with a logical partition 5 filling it. I’m sure there’s a GUI to do this too, but the command-line is easier and quicker.

  5. Create an encrypted volume: sudo cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 /dev/sda5 (if you get an error, run sudo modprobe dm-crypt; sudo modprobe aes-i586 to install the crypto modules)

  6. Activate the new volume: sudo cryptsetup luksOpen /dev/sda5 cryptpv

  7. Create an LVM physical volume on the encrypted volume: sudo pvcreate /dev/mapper/cryptpv

  8. Create a LVM volume group: sudo vgcreate rootvg /dev/mapper/cryptpv

  9. Create a logical volume for your swap (virtual memory): sudo lvcreate -L 4G -n swaplv perique (where 4G is twice your RAM).

  10. Create a logical volume for your root filesystem: sudo lvcreate -l 100%FREE -n rootlv rootvg

  11. Format your boot partition: sudo mkfs.ext2 /dev/sda1

  12. Format your root partition: sudo mkfs.ext4 -j /dev/mapper/rootvg-rootlv

  13. Install Linux Mint as usual; the installer should detect the partition and logical volumes. Make sure to use the advanced partitioning tool. Format /boot as ext2; format / as ext4 (the reason for formatting them earlier is so that the installer doesn’t get confused; I reformat in case the installer uses any special options). Do not use the swap as swap; the installer will be confused and believe that it is a physical volume. If others will have unsupervised login access, consider encrypting your home directory as well.

  14. Mount the new root on /mnt: sudo mount /dev/mapper/rootvg-rootlv /mnt

  15. Mount the new /boot: sudo mount /dev/sda1 /mnt/boot

  16. Change root (this makes the current process think that /mnt is / — which is another way of saying that it makes it appear that you’re working inside the freshly-installed system): sudo chroot /mnt

  17. Mount special filesystems: mount -t proc proc /proc; mount -t sysfs sys /sys; mount -t devpts devpts /dev/pts

  18. Update the list of available software: apt-get update

  19. Install LVM2 on the freshly-installed system: apt-get install lvm2

  20. Update the cryptography table: vi /etc/crypttab:

    cryptpv /dev/sda5 none luks

  21. Update the filesystem table: vi /etc/fstab:

    /dev/mapper/rootvg-swaplv none swap 0 0

  22. Updated the list of modules installed in the boot-initialisation ramdisk (this may actually be overkill nowadays): vi /etc/initramfs-tools/modules:

    dm_mod dm_crypt sha256_generic aes-i586

  23. Build the new initramfs: update-initramfs -k all -c

  24. Unmount the special filesystem: umount /dev/pts; umount /sys; umount /proc

  25. Exit the chroot jail: exit

  26. Unmount the boot filesystem: sudo umount /mnt/boot

  27. Unmount the freshly-installed root filesystem: sudo umount /mnt

  28. Format the swap logical volume: sudo mkswap -L swap -f /dev/mapper/rootvg-swaplv

  29. Reboot: sudo shutdown -r now

After following these instructions, you should have a fully-encrypted root volume running Linux Mint.

Share