Installing Linux Mint 13 on an Encrypted LVM

AUGUST 25, 2012 BY LOWENTROPYMUSINGS

2

Recently, I decided that my old netbook running Ubuntu 10.04 was due for an upgrade. Since I’d installed Linux Mint 13 on my desktop and quite enjoyed the experience, I figured I’d give it a try on my netbook too. I also decided that I wanted to have a fully encrypted hard drive to increase the security and prevent potential thieves/hackers/CIA agents from finding out what’s on the drive. After an afternoon of work and many how-to manuals later, I’m sitting in front of a pristine install. Many of those guides were outdated, incomplete, or using methods that I didn’t want to use, like upgrading from a Debian installation. I just wanted to install from a LiveCD the way I’ve always done, and I figured with enough persistence it could be done.

Below I’ll detail how I managed to get it all working. This installs the standard Linux Mint distribution (not LMDE) onto LVM on top of a LUKS partition, leaving only the /boot partition unencrypted. The install will have a separate /home and root partition.

This procedure will overwrite the data on your hard drive, so BACK IT UP FIRST! Also, future versions of software may be slightly different. As such, try to understand what the commands are doing rather than blindly copying if you get stuck. I’ve tried to explain what each set of commands does as well. Man pages and Google are your friends.

The Prep

You will need the following:

• Linux Mint LiveCD/LiveUSB

• Network connection for package upgrades

• A computer to install Mint onto. You will be erasing the hard drive on this.

Step 1 – Prepare the Drive

First boot the LiveCD, and open up Disk Utility or Gparted. I will be assuming your hard drive is /dev/sda This is where you destroy all the data on your hard drive, so BACK UP FIRST!

Create 3 partitions

1. /dev/sda1 – 50Mb, BIOS boot partition. This is where GRUB is going to get installed.

2. /dev/sda2 – 200Mb, ext2. This will be your unencrypted boot partition.

3. /dev/sda3 – fill up the rest of the space. You’ll be formatting this partition next, so the type doesn’t matter.

Now open up a terminal and enter the following. You will be asked for a password, which will be the password you’ll need to enter to decrypt your hard drive from now on. Don’t forget it or any data on the drive will be lost.

# create LUKS partition on /dev/sda3 cryptsetup -y luksFormat /dev/sda3 # open the LUKS partition cryptsetup luksOpen /dev/sda3 cryptdev

At this point, you should have a device at /dev/mapper/cryptdev. If you’re feeling extra paranoid and want to leave no traces of what was there before, fill it with zero bytes from /dev/zero. There are several reasons I suggest this and not /dev/urandom. First, since you’re encrypting those zero bytes before storing them on disk, they will appear to be random to anyone without the key. Second, it’s considered good practice to zero out partitions before creating filesystems. Third, /dev/urandom can be slow, and you’d probably like to finish installing before they come out with the next release of Mint.

# This may take a while dd if=/dev/zero of=/dev/mapper/cryptdev bs=1M

Step 2 – Setting up the LVM

Now we will create the logical volumes inside the LUKS partition. The reason we’re doing it this way around rather than LUKS on LVM is that one only needs to type in the disk password once during boot, rather than once for each partition.

# install the LVM packages onto the LiveCD apt-get install lvm2 # add LUKS partition as a physical volume to be managed pvcreate /dev/mapper/cryptdev # add a volume group vgcreate vg /dev/mapper/cryptdev # add volumes for root, home, and swap lvcreate -L 10G -n root vg lvcreate -L 2G -n swap vg lvcreate -l 100%FREE -n home vg

Make some filesystems in the newly created volumes, and you’re good to go

mkfs.ext3 /dev/vg/root mkfs.ext3 /dev/vg/home mkswap -L swap /dev/vg/swap

Step 3 – Install Linux Mint

Now you can start the graphical Mint installer. When you get to the part where it asks whether to “Erase the disk and install Linux Mint” or “Something else”, choose “Something else“. Now you should be able to select where to mount various things.

1. Put /boot on /dev/sda2

2. Put /home on /dev/mapper/vg-home

3. Put / on /dev/mapper/vg-root

4. Choose /dev/mapper/vg-swap as a swap partition

5. Make sure the device for bootloader installation is /dev/sda

Now continue with the rest of the installation as usual. Hopefully the creation of the BIOS boot partition earlier will avoid having to install grub manually with grub-install. See the troubleshooting section at the bottom if I’m wrong about this.

Step 4 – Finishing up

Now head back to your terminal.

# install the LVM package into the boot environment mount /dev/mapper/vg-root /mnt mount /dev/sda2 /mnt/boot chroot /mnt apt-get install lvm2

While you’re chrooted, open up an editor and add the following line to /etc/crypttab. Type exit to get back out of the chroot.

cryptdev /dev/sda3 none luks,retry=1

Now you should be able to shutdown, remove the LiveCD and boot up your newly installed Mint. You should get prompted for a password to unlock the hard drive, and then the boot sequence should proceed to the usual graphical login screen. From here, you can continue using and configuring as you normally would. All that changes is you have to unlock your hard drive at boot from now on.

Troubleshooting

During my experiment, things didn’t go quite as smoothly as all this. At one point, I was dumped into a recovery shell and had to manually open the LUKS partition, make LVM map the volumes, and then continue the boot sequence. If this happens to you, here are the incantations to get you going again. To fix this, make sure you’ve got the right line in /etc/crypttab.

# open the LUKS partition cryptsetup luksOpen /dev/sda3 cryptdev # map the LVM volumes lvm vgmknodes exit # continue with boot exec init

Another time I tried to boot and got absolutely nothing. That was because grub hadn’t been installed properly. To fix this, make sure /dev/sda1 has the flag “bios_grub” set according to parted, and that /dev/sda2 is bootable. Then try the following, assuming the volumes have been mapped while running the LiveCD.

mount /dev/mapper/vg-root /mnt mount /dev/sda2 /mnt/boot grub-install --root-directory=/mnt /dev/sda

References

Here’s a list of documentation that I found useful during my installation, in no particular order.

• How to migrate a full encrypted LVM system

• How-To: Install Ubuntu on LVM partitions

• EncryptedFilesystemLVMHowto

• Boot Problems: Cannot find a device for /boot/grub