You should create encryption on an empty Disk.
You can convert the existing unencrypted system to encrypted, but this is not trivial. (You should use live system to copy all of your old data to the new encrypted partitions...) Example:
- https://jschumacher.info/2016/11/encrypt-an-existing-linux-installation-with-luks-and-lvm/
- https://www.johannes-bauer.com/linux/luksipc/ Maybe, the data backup and restore (on the new, encrypted system) is the easiest than other solutions.
My partition setup:
device | function | size | partition type | FS |
---|---|---|---|---|
/dev/sda1 | /boot | 2Gbyte | 83 (Linux) | ext4 |
/dev/sda2 | encrypted | 200G | 83 (Linux) | - (Linux) |
I don't encrypt the boot partition because the boot is easier with a simple unencrypted partition. And I think the boot partition doesn't contain any sensitive data.
The sda2
will be a LUKS/encrypted partition. This partition contains the LVM volume for the system partitions (/root,/home, etc..).
Start a Live system, example Linux Mint, and open a terminal with root permissions (sudo su root
).
Create some partitions before the start the install wizard.
(fdisk
for smaller disk than 1Tbyte - MBR, gdisk
for larger - GPT)
fdisk /dev/sda
Setup the encrypted volume:
- create encrypted volume
- create LVM volumes for the system
Format the disk and type an unlock string (password):
cryptsetup luksFormat /dev/sda2
Open the encrypted volume for the setup:
cryptsetup luksOpen /dev/sda2 sda2_crypt
Create lvm stuff:
sudo su root
pvcreate /dev/mapper/sda2_crypt
vgcreate sda2_crypt /dev/mapper/sda2_crypt
lvcreate -L 4G sda2_crypt -n swap
lvcreate -L 40G sda2_crypt -n root
lvcreate -L 140G sda2_crypt -n home
Start the setup wizard (double click on Install Linux Mint icon on the Desktop).
- choose your options (language, keyboard, etc...)
- choose "something else" at installation type!
- Choose the LVM array volumes manually for root and home and swap. Format these volumes with ext4 filesystem.
- choose /dev/sda1 for
/boot
and format with ext4 - continue the setup...
If you install LMDE (Linux Mint Debian Edition), choose "Expert" option at the partion step and follow the instructions. Example (as root or with sudo, of course):
- format the root volume:
mkfs.ext4 /dev/mapper/sda2_crypt-root
- create installation target folder:
mkdir /target
- mount to the /target:
mount /dev/mapper/sda2_crypt-root /target
- create boot folder:
mkdir /target/boot
- mount the boot partition:
mount /dev/sda1 /target/boot
- install and do every step and skip reboot
After the install, mount the root disk into the /mnt (or do more bind mount to /target folder) and make some modification on the installed OS.
Mount the installed OS filesystem, and chroot into the system:
mount /dev/sda2_crypt/root /mnt
mount /dev/sda1 /mnt/boot
mount /dev /mnt/dev -o bind
mount /proc /mnt/proc -o bind
mount /sys /mnt/sys -o bind
chroot /mnt
Get the encrypted volume UUID with blkid | grep -i crypto_luks | grep -i sda2
(example output):
/dev/sda2: UUID="7f060c80-aad6-492e-93a4-44163746c383" TYPE="crypto_LUKS" PARTUUID="1795d527-02"
Create crypttab
file on the install OS:
/etc/crypttab
:
sda2_crypt UUID=7f060c80-aad6-492e-93a4-44163746c383 none luks,retry=1,lvm=sda2_crypt
and update initramfs:
update-initramfs -k all -c
or update-initramfs -k all -u
Check the fstab entries. If the file is empty or the root/swap/home volume is not listed, add these partition to the file. Example:
ROOT:
blkid | grep -i root
/etc/fstab
:
UUID=0e2d1e27-65fd-4677-a009-fb2d8862453d / ext4 defaults 0 0
SWAP:
blkid | grep -i swap
/etc/fstab
:
UUID=6a4df4e8-ab25-4c33-ae56-e4aabebd3283 swap swap defaults 0 1
Update grub bootloader configuration:
update-grub
If you got any error about grub boot loader installs at the end of install procedure in install wizard, You should run these commands:
echo "dm-crypt" >> /etc/modules
update-grub #generates basic configuration
grub-install --force --recheck /dev/sda #install bootloader
Type exit
and reboot
and try the installed OS with the encrypted file system.