Skip to content

Instantly share code, notes, and snippets.

@jaonoctus
Forked from crocandr/Linux-Mint-LUKS.md
Created January 4, 2023 00:04
Show Gist options
  • Save jaonoctus/9ad712e2c6c6931504692fe031b6ee01 to your computer and use it in GitHub Desktop.
Save jaonoctus/9ad712e2c6c6931504692fe031b6ee01 to your computer and use it in GitHub Desktop.

Linux Mint - LUKS encryption

You should create encryption on an empty Disk.

You can convert the existing unencrypted system to encrypted, but this is not trivial. (You should use live system to copy all of your old data to the new encrypted partitions...) Example:

My partition setup:

device function size partition type FS
/dev/sda1 /boot 2Gbyte 83 (Linux) ext4
/dev/sda2 encrypted 200G 83 (Linux) - (Linux)

I don't encrypt the boot partition because the boot is easier with a simple unencrypted partition. And I think the boot partition doesn't contain any sensitive data.

The sda2 will be a LUKS/encrypted partition. This partition contains the LVM volume for the system partitions (/root,/home, etc..).

Setup

Start a Live system, example Linux Mint, and open a terminal with root permissions (sudo su root).

Create some partitions before the start the install wizard. (fdisk for smaller disk than 1Tbyte - MBR, gdisk for larger - GPT)

fdisk /dev/sda

Setup the encrypted volume:

  • create encrypted volume
  • create LVM volumes for the system

Format the disk and type an unlock string (password):

cryptsetup luksFormat /dev/sda2

Open the encrypted volume for the setup:

cryptsetup luksOpen /dev/sda2 sda2_crypt

Create lvm stuff:

sudo su root
pvcreate /dev/mapper/sda2_crypt
vgcreate sda2_crypt /dev/mapper/sda2_crypt
lvcreate -L 4G sda2_crypt -n swap
lvcreate -L 40G sda2_crypt -n root
lvcreate -L 140G sda2_crypt -n home 

Start the setup wizard (double click on Install Linux Mint icon on the Desktop).

  • choose your options (language, keyboard, etc...)
  • choose "something else" at installation type!
  • Choose the LVM array volumes manually for root and home and swap. Format these volumes with ext4 filesystem.
  • choose /dev/sda1 for /boot and format with ext4
  • continue the setup...

If you install LMDE (Linux Mint Debian Edition), choose "Expert" option at the partion step and follow the instructions. Example (as root or with sudo, of course):

  • format the root volume: mkfs.ext4 /dev/mapper/sda2_crypt-root
  • create installation target folder: mkdir /target
  • mount to the /target: mount /dev/mapper/sda2_crypt-root /target
  • create boot folder: mkdir /target/boot
  • mount the boot partition: mount /dev/sda1 /target/boot
  • install and do every step and skip reboot

After the install, mount the root disk into the /mnt (or do more bind mount to /target folder) and make some modification on the installed OS.

Mount the installed OS filesystem, and chroot into the system:

mount /dev/sda2_crypt/root /mnt
mount /dev/sda1 /mnt/boot
mount /dev /mnt/dev -o bind
mount /proc /mnt/proc -o bind
mount /sys /mnt/sys -o bind
chroot /mnt

Get the encrypted volume UUID with blkid | grep -i crypto_luks | grep -i sda2 (example output):

/dev/sda2: UUID="7f060c80-aad6-492e-93a4-44163746c383" TYPE="crypto_LUKS" PARTUUID="1795d527-02"

Create crypttab file on the install OS: /etc/crypttab:

sda2_crypt UUID=7f060c80-aad6-492e-93a4-44163746c383 none luks,retry=1,lvm=sda2_crypt

and update initramfs: update-initramfs -k all -c or update-initramfs -k all -u

Check the fstab entries. If the file is empty or the root/swap/home volume is not listed, add these partition to the file. Example:

ROOT:

blkid | grep -i root

/etc/fstab:

UUID=0e2d1e27-65fd-4677-a009-fb2d8862453d / ext4 defaults 0 0

SWAP:

blkid | grep -i swap

/etc/fstab:

UUID=6a4df4e8-ab25-4c33-ae56-e4aabebd3283 swap swap defaults 0 1

Update grub bootloader configuration:

update-grub

If you got any error about grub boot loader installs at the end of install procedure in install wizard, You should run these commands:

echo "dm-crypt" >> /etc/modules
update-grub #generates basic configuration
grub-install --force --recheck /dev/sda #install bootloader

Type exit and reboot and try the installed OS with the encrypted file system.

More information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment