Check out my other article instead of this one.

Unity is a nice interface which is becoming increasingly polished. As a matter of fact I have switched a number of family members over and they are loving it. It, however, is seriously flawed for “power users” like myself. For example, I often have many text editors open at once and Unity slows me way down (yes, I lived in it for at least one month to give it a fair chance, no this is not an article about why I dislike Unity for my own use).

I have since moved over to Linux Mint 13 with Mate. Since I hate the idea of having any of my data unencrypted, and Linux Mint 13 does not support it in the installer, I needed a solution. I even held off installing it on all my machines until I could ensure my useless collection of funny pictures were protected from… some… scary, funny picture-related threat.

Any way, we should get started before I start looking at those pictures for the rest of the day. I am going to assume sda here but if you want to use another disk simply substitute for that.

Here we go:

• Boot into any Linux Mint 13 installation disc.
• Setup our storage:
  • In a terminal install and load the required tools: sudo apt-get install -y cryptsetup lvm2 && sudo modprobe dm-crypt
  • In a terminal partition sda: ( echo "o" ; echo "n" ; echo "p" ; echo "1" ; echo "" ; echo "+256M" ; echo "n" ; echo "p" ; echo "2" ; echo ""; echo ""; echo "w" ) | sudo fdisk /dev/sda
    • Some might call a 256MB /boot partition a bit excessive. Storage is cheap so it does not bother me too much but you could down down to ~64MB or so. Resizing an encrypted partition is not as easy as resizing an unencrypted one so if you are unsure ~128MB might be a better minimum.
    • This will wipe all of sda.
  • [Optional] In a terminal, if you are very paranoid, fill your encrypted partition with random garbage using one of these:
    • Much faster: sudo dd if=/dev/urandom of=/dev/sda2 bs=1M
    • More secure: sudo shred /dev/sda2
  • In a terminal create an encrypted LUKS device: sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --verify-passphrase /dev/sda2
  • In a terminal open the encrypted device: sudo cryptsetup luksOpen /dev/sda2 system
    If you would like to do multiple installations you can replace system with virtually any name you like so long as you replace it with the same name throughout this article.
  • In a terminal format the partitions: sudo mkfs.ext2 /dev/sda1 ; sudo mkfs.ext4 /dev/mapper/system
    • I always like to specify -m 0 for both filesystems (turns off the reserved blocks percentage). If everything explodes, for some reason, and I can not boot I can always get in with a LiveCD.
• Install Linux Mint 13:
  • Open the Install Linux Mint shortcut on the desktop.
  • When asked about the the automatic partitioning select Something else.
  • Select /dev/sda1 and click the Change… button.
    • Under Use as select Ext2 file system.
    • Under Mount point select /boot.
  • Select /dev/mapper/system and click the Change… button.
    • Under Use as select Ext4 journaling file system.
    • Under Mount point select /.
  • Make sure /dev/sda is selected for Device for boot loader installation.
  • Click Install Now.
    • When it complains about the swap space just continue as we will do this later.
    • When it complains about the the existing partitions not being formatted just continue. We formatted them in a previous step but if you like you can do it again here to get the Linux Mint 13 filesystem defaults.
  • [Optional] When you get to the Who are you screen check Log in automatically. Since you will need to enter a passphrase to unencrypt the disk there is no threat if the machine falls into the wrong hands (there are a lot of ninjas in my apartment). I recommend setting the user password to match the encrypted passphrase for simplicities sake.
  • When the installation is completed and you are prompted to restart select Continue Testing.
• Ready new Linux Mint 13 installation:
  • In a terminal mount new installation: sudo mount /dev/mapper/system /mnt && sudo mount /dev/sda1 /mnt/boot && sudo mount -o bind /dev /mnt/dev ; sudo mount -t proc proc /mnt/proc ; sudo mount -t sysfs sys /mnt/sys
  • In a terminal change into new installation: sudo chroot /mnt /bin/bash
  • [Optional] In a terminal update out-dated pakcages: apt-get update && apt-get -y dist-upgrade && apt-get -y autoremove && apt-get clean
  • In a terminal install and load the required tools: apt-get install -y cryptsetup lvm2 && echo "system UUID=$(ls -l /dev/disk/by-uuid | grep $(basename /dev/sda2) | cut -d ' ' -f 10) none luks" >> /etc/crypttab && update-initramfs -u -k all
  • [Optional] In a terminal add swap: apt-get install zram-config ; dd if=/dev/zero of=/swap bs=1M count=$((`free -m | grep -e "^Mem:" | sed -e 's/^Mem: *//' -e 's/  *.*//'` * 2)) ; chown root:root /swap ; chmod 600 /swap ; mkswap /swap ; echo "/swap none swap sw 0 0" >> /etc/fstab
    • I often only run with zRam but it is rarely a bad idea to also have a disk-backed swap.
  • In a terminal change back to LiveCD: exit
  • In a terminal unmount new installation: sudo umount /mnt/sys ; sudo umount /mnt/proc ; sudo umount /mnt/dev ; sudo umount /mnt/boot && sudo umount /mnt && sudo cryptsetup luksClose system
• Reboot into your new, encrypted Linux Mint 13 installation.

A few notes:

• If you already have an installation you want to encrypt without a fresh install the steps should be very similar. You will need to setup GRUB 2 yourself as, per this article, the Linux Mint 13 installer does it for you. I have not experimented with it but it should not be too hard to figure out.
• These instructions may very well work with other distros, too, but I have not tested that.
• This can all probably be stuck into a script. Maybe I will some time down the road (hell, I do enough of these a month).

Update 2012.09.25
I should proof read more gooder. Sorry about that.