Debian is my favorite distro, but I usually don’t recommend it as a desktop environment. LMDE is a nice alternative for Debian fans who want to use Debian as their everyday home/work desktop environment. Unlike Ubuntu, it’s a pure Debian installation (basically Debian Testing), but it uses a more agile and up to date package repository. Many software packages which are known to be a hassle on Debian desktops run seamlessly out of the box. Who hasn’t cried out “Come on Debian, who needs Iceweasel. I want the latest version of Firefox with Flash running”. LMDE goes a little bit along the line “I like to have my cake and eat it too”.
One thing that bothered me tough, is that the LMDE installer didn’t offer any options to encrypt the partition(s). I found a howto by hashstat Howto install LMDE with LVM (with or without encryption). However I didn’t like the idea of transforming the Live CD into the final system.
The main part of the solution I describe here is heavily based on hashstat howto. However, we install LMDE onto a virtual machine and then transfer it onto the encrypted partition. There are three steps:
- Install LMDE on a VirtualBox VM
- Prepare encrypted disk
- Transfer LMDE from the virtual machine to the real machine
In my case, I installed LMDE on a virtual machine on my notebook. If you don’t have an extra computer, it might also be possible to install LMDE on a flash drive and use it later to transfer it to your real machine. However I didn’t try that. The virtual machine method was fitting for me, since I had LMDE already installed on it for a test drive.
Step 1: Install LMDE on a VirtualBox VM
I was using Virtual Box. The step is pretty similar to any other VM (e.g. VMWare).
So let’s create a new virtual machine. Select Linux / Debian (or Debian 64bit if you are going to run a 64bit LMDE) as the guest system. I gave it 1GB of RAM and the default 8GB disk space.
In the settings I changed the network adapter to “Bridged” mode.
When you start the VM for the first time, it asks for a boot media. Select the LMDE image (e.g. linuxmint-debian-201012-gnome-dvd-amd64.iso). The Rest is straight forward. Install LMDE as you would do on a stand alone PC. You don’t need to create different partitions for /boot or /home as you would do it on a real install, since we transfer the whole file system later on anyway.
Make sure that ssh is installed, so we can remotely copy everything over the network onto our real machine later on.
sudo -s apt-get update apt-get install ssh
Give root a password, so we can log into the virtual machine remotely as root:
Test to see if we can log into the machine as root over ssh:
It should ask you for your password and let you log in.
Step 2: Prepare encrypted disk
Now boot into the LMDE Live DVD on your machine where you want LMDE to be installed. Open a shell and install some additional packages that we need to create an encrypted partition.
sudo -s apt-get update apt-get install lvm2 squashfs-tools cryptsetup
Create the partitions
On my system the drive was on /dev/sda. So from here on I use it as the disk device. Please replace it with the device that is on your system (e.g. /dev/hda). We need to create the partitions from scratch. We can use gparted for that purpose.
Create a new partition table from the Device Menu. Then add a 256MB boot partition at the beginning of the drive. The rest of the drive is filled with a single unformated partition. This will contain the encrypted later on. In case you have already had data on your disk, you might need to delete preexisting partitions. Here is a screenshot of the final result.
Now we can encrypt the partition. It’s also a good idea to fill the partition with some random data to counteract certain key recovery techniques.
dd if=/dev/urandom of=/dev/sda2 bs=1M cryptsetup luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 sda2_crypt VOLUME=/dev/mapper/sda2_crypt
The first cryptsetup command creates the encryption. It will ask you for a password. Never forget it! The second command opens the encrypted device at /dev/mapper/sda2_crypt.
In the next step we create several LVM logical volumes. You can think of a logical volume as some sort of partition that lives inside the encrypted partition. We also create the swap partition as a logical volume. That way the swap space is also encrypted.
pvcreate $VOLUME vgcreate volumes $VOLUME lvcreate -n lmde -L 10G volumes lvcreate -n swap -L 2G volumes lvcreate -n home -L 50G volumes
This will create a logical volume for the root, swap and home filesystem. If you want the last volume to fill the rest of the volume group, just enter a bigger amount then there is actually space left. From the resulting error message, you get the amount of extents left.
Volume group "volumes" has insufficient free space (959 extents): 12800 required.
In my case I had 959 extends left. So I created the last volume by specifying the exact amount of extends:
lvcreate -n home -l 959 volumes
It’s time to create file systems on our freshly created volumes. The boot partition will be formatted with ext2. root and home are formated with a journaling file system (e.g. ext4).
mkswap -L swap /dev/volumes/swap swapon /dev/volumes/swap mkfs -t ext2 -L boot /dev/sda1 mkfs -t ext4 -L root -j /dev/volumes/lmde mkfs -t ext4 -L home -j /dev/volumes/home
Step 3: Transfer LMDE from the virtual machine to the real machine
During the following steps, we copy all the data from the LMDE installed on the virtual machine onto our real system.
In order to access our new file system, we need to mount it.
mount /dev/volumes/lmde /mnt mkdir /mnt/boot /mnt/home mount /dev/sda1 /mnt/boot mount /dev/volumes/home /mnt/home
Now we are ready to transfer the LMDE installation. We are going to use rsync over ssh to copy all the data from the virtual machine. Replace remotehost with the IP address of the virtual machine. You can use ifconfig on the VM to find out it’s IP.
rsync -avz --exclude=proc --exclude=sys --exclude=dev/pts -e ssh root@remotehost:/ /mnt
We need to edit a few files to reflect the physical properties of our machine.
Edit /mnt/etc/crypttab to set your encrypted device:
sda2_crypt /dev/sda2 none luks
Edit /mnt/etc/fstab to reflect your devices. Basically delete everything except the lines for proc und cdrom and add the mount points for / /boot /home and the swap space.
# <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 LABEL=boot /boot ext2 defaults 0 2 /dev/volumes/lmde / ext4 errors=remount-ro 0 1 /dev/volumes/home /home ext4 defaults 0 2 /dev/volumes/swap none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Copy the current resolv.conf to the new system. That way we have a name server defined and can access the internet for a package update later on.
cp /etc/resolv.conf /mnt/etc/
Now it’s time to chroot into the new file system. chroot changes the apparent root directory for the current running process. That way we can work on our new system as if it’d be the current file system, even though it isn’t. We also need to mount some special devices in order for the devices and kernel files to be accessible.
cp /etc/resolv.conf /mnt/etc/ mount --bind /dev /mnt/dev chroot /mnt mkdir /sys mkdir /proc mount -t sysfs none /sys mount -t proc none /proc mount -t devpts none /dev/pts
At first, we install some additional packages, so our system is able to access the encrypted partition and the volumes during the boot process.
apt-get update apt-get install cryptsetup lvm2
In case you’ll edit /etc/crypttab after installing cryptsetup, you need to run update-initramfs -u in order for the settings to be used during boot time.
Finally we need to install a boot loader. I was using grub which is pretty much standard. Accept the default options. When asked for the GRUB install device, select /dev/sda (or whatever your disk device is).
At this point we are actually done. But it doesn’t hurt to unmount everything and back out from chroot again.
umount /dev/pts umount /proc umount /sys exit umount /mnt/dev umount /mnt/home umount /mnt/boot umount /mnt
Let’s make sure everything was written to the file system and reboot.
If all went well, you will see the GRUB boot loader during start up. Shortly after that, the system will ask you for the password in order to access the encrypted file system. After the boot process has finished, you are ready to use your brand new LMDE on an encrypted drive. Have fun.