Encrypted Linux Mint 13 and Linux Mint 14 Install

Encrypted Linux Mint 13 and Linux Mint 14 Install

Comments 15 comments

As an updated version of my previous article, here are the steps I took to get an encrypted Linux Mint 14 install. This article should also be used for Linux Mint 13 as I discovered some very minor issues with the old method (seriously, they were so minor I would not bother reinstalling if you were not already planning to).

So, zzzoooooommm:

  • Boot into any Linux Mint 13 or Linux Mint 14 installation disc.
  • Setup our storage:
    • In a terminal install and load the required tools: sudo apt-get install -y cryptsetup lvm2 && sudo modprobe dm-crypt
    • In a terminal partition sda: ( echo "o" ; echo "n" ; echo "p" ; echo "1" ; echo "" ; echo "+256M" ; echo "n" ; echo "p" ; echo "2" ; echo ""; echo ""; echo "w" ) | sudo fdisk /dev/sda
      • Some might call a 256MB /boot partition a bit excessive. Storage is cheap so it does not bother me too much but you could go down to ~64MB or so. Resizing an encrypted partition is not as easy as resizing an unencrypted one so if you are unsure ~128MB might be a better minimum.
      • This will wipe all of sda.
    • [Optional] In a terminal, if you are very paranoid, fill your encrypted partition with random garbage using one of these:
      • Much faster: sudo dd if=/dev/urandom of=/dev/sda2 bs=1M
      • More secure: sudo shred /dev/sda2
    • In a terminal create an encrypted LUKS device: sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --verify-passphrase /dev/sda2
    • In a terminal open the encrypted device: sudo cryptsetup luksOpen /dev/sda2 system
      If you would like to do multiple installations you can replace system with virtually any name you like so long as you replace it with the same name throughout this article. I suggest you use the inteded hostname either way.
    • In a terminal create your encrypted logical volumes: sudo vgcreate system /dev/mapper/system && sudo lvcreate -n root -l 100%FREE system
    • In a terminal format the partitions: sudo mkfs.ext2 /dev/sda1 ; sudo mkfs.ext4 /dev/mapper/system-root
      • I always like to specify -m 0 for both filesystems (turns off the reserved blocks percentage). If everything explodes, for some reason, and I can not boot I can always get in with a LiveCD.
  • Install Linux Mint 14:
    • Open the Install Linux Mint shortcut on the desktop.
    • When asked about the the automatic partitioning select Something else.
    • Select /dev/sda1 and click the Change… button.
      • Under Use as select Ext2 file system.
      • Under Mount point select /boot.
    • Select /dev/mapper/system-root and click the Change… button.
      • Under Use as select Ext4 journaling file system.
      • Under Mount point select /.
    • Make sure /dev/sda is selected for Device for boot loader installation.
    • Click Install Now.
      • When it complains about the swap space just continue as we will do this later.
      • When it complains about the the existing partitions not being formatted just continue. We formatted them in a previous step but if you like you can do it again here to get the installer filesystem defaults.
    • [Optional] When you get to the Who are you screen check Log in automatically. Since you will need to enter a passphrase to unencrypt the disk there is no threat if the machine falls into the wrong hands (there are a lot of ninjas in my apartment). I recommend setting the user password to match the encrypted passphrase for simplicities sake.
    • When the installation is completed and you are prompted to restart select Continue Testing.
  • Ready new Linux Mint 14 installation:
    • In a terminal mount new installation: sudo mount /dev/mapper/system-root /mnt && sudo mount /dev/sda1 /mnt/boot && sudo mount -o bind /dev /mnt/dev && sudo mount -o bind /sys /mnt/sys && sudo mount -t proc proc /mnt/proc
    • In a terminal change into new installation: sudo chroot /mnt
    • In a terminal setup network resolution: echo -e "nameserver 8.8.8.8\nnameserver 8.8.4.4" >> /etc/resolv.conf
    • In a terminal install and load the required tools: apt-get install -y cryptsetup lvm2
    • In a terminal setup our configuration for booting: echo "system UUID=$(ls -l /dev/disk/by-uuid | grep sda2 | cut -d ' ' -f 9) none luks" > /etc/crypttab && update-initramfs -u -k all
    • [Optional] In a terminal add swap: dd if=/dev/zero of=/swap bs=1M count=$((`free -m | grep -e "^Mem:" | sed -e 's/^Mem: *//' -e 's/  *.*//'` * 2)) ; chown root:root /swap ; chmod 600 /swap ; mkswap /swap ; echo "/swap none swap sw 0 0" >> /etc/fstab
    • In a terminal change back to LiveCD: exit
    • In a terminal unmount new installation: sudo umount /mnt/proc ; sudo umount /mnt/sys ; sudo umount /mnt/dev ; sudo umount /mnt/boot && sudo umount /mnt
  • Reboot into your new, encrypted installation.

A few notes:

  • If you already have an installation you want to encrypt without a fresh install the steps should be very similar. You will need to setup GRUB 2 yourself as, per this article, the Linux Mint 14 installer does it for you. I have not experimented with it but it should not be too hard to figure out.
  • These instructions may very well work with other distros, too, but I have not tested that.
  • This can all probably be stuck into a script. Maybe I will some time down the road (hell, I do enough of these a month).

15 thoughts on “Encrypted Linux Mint 13 and Linux Mint 14 Install

  2. thx worked great on netrunner kde, but how do i reduce the swapfile from 6gb to 1gb?

    Reply

  3. Thanks for the great article! I just went through this process with Linux Mint 14 KDE edition and had a couple of issues. Can I suggest some clarifications?

    1) the “setup network resolution” step is only required if you need to use apt-get to install lvm2 into your new system

    2) lvm2 was NOT included in Mint 14 KDE edition. I skipped over installing it thinking it was only needed for Mint 13. Not sure if this is a difference between Mint 14 regular and KDE edition or what, but KDE edition users should not omit the apt-get step.

    3) the script line for echoing the UUID of the encrypted volume to /etc/crypttab did not generate correct output in my case (its possible I had a typo). I’d suggest manually verifying that the correct UUID is put into /etc/crypttab using ls -l /dev/disk/by-uuid.

    Reply

    1. I modified the text so points 1 and 2 should not be an issue. Thanks for pointing that out. I never personally cared much for KDE so I did not test it.

      The UUID thing is very odd. I know cut -d ' ' -f 9 worked (I manually did a bunch of installs by copying and pasting from this guide). If I try it now, cut -d ' ' -f 10 works and 9 does not. Not sure what to think about that… human error on my part is the only thing that make any sense but…

      Reply

  4. Hello there,

    thank your very much to share your knowledge about this type of installtaion, i was searching for that a long time. I want to give it a try but i wonder if have to be wary of alignment issues, because i have a SSD ?

    Is there anything i have to change of the above steps?

    Sorry for my English skills i’m still leraning 😉

    Reply

  5. I have cleared it myself, the newer Versions of fdisk recognize the right alignment for SSDs. you can check it with typing following command in terminal:

    sudo parted /dev/sda align-check opt

    Reply

  6. Thanks for the great instructions.

    The only problem I’m having is that my external keyboard (USB) is not recognized when I need to enter the crypt passphrase to boot. I can work around this since the internal keyboard works. I was wondering if you knew how I could get the external one working again (it worked in my previous 10.04 install).

    Reply

    1. Have never seen that but I assume it has something to do with the minimal environment setup by GRUB 2. Since you have not yet entered your password, and thus not loaded the filesystem where your kernel modules are, that might have something to do with it. This is just a guess on my part. Truth be told, I am not sure where to look but that sounds like as good a start as any.

      On the other hand it is USB so, unless the keyboard is doing something weird, it should just work…

      Reply

      1. Thanks. If I do figure out a solution I’ll post back here. The strange thing is that it works fine on my old 10.04 installation (same hardware). I would assume that it would also work on 12.04, so the difference must be in something that Mint is/is not doing.

        I guess I’ll start by looking for something special that the Ubuntu bootload is doing; maybe they are explicitly loading a USB driver.

        The good thing is that Mint13 lets me use the built-in keyboard and then closet the screen. On 10.04 closing the screen caused all external video to be lost until reboot.

        Reply

  7. Hey Nick, big thanks for great step by step article.

    Set up elementaryos with your help.

    Thanks again.
    Chris.

    Reply

  8. I have tried this with Mint17 (under VirtualBox for now, while I see if it works). Two of your lines failed to work; the “fdisk” line, and the one for creating the crypttab file.

    Manually doing the “fdisk /dev/sda” with the exact same commands as you were piping into the command did work, apparently it had a problem with one (or all) of the “echo” commands.

    As for the /etc/crypttab creation; it was inserting the timestamp of the UUID symlink into crypttab rather than the UUID itself, which is odd because the field number should be correct. So what I’ve had to do is split out commands, and verify certain critical commands before taking the next step (especially the “update-initramfs” command).

    So far the VM looks like it finally worked, so now on to the laptop (had to replace it’s HDD, so figured this was an ideal time to do a LUKS install).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *