trents_blog/docs/posts/lmde3-xfs-full-disk-encryption.md

7.9 KiB

title date draft tags authors
LMDE3 xfs Full Disk Encryption 2019-01-25T23:25:36-08:00 false
linux-mint
disk-encryption
trent

date: 2019-01-25T23:25:36-08:00

Introduction

Linux Mint Debian Edition is the alternate version of Linux Mint, but built on a Debian base. The result is quite pleasant: the stability of desktop Debian, but with the rough edges polished smooth, nicely configured fonts and ui, and all the multi-media codecs included.

Unfortunately, the LMDE 3 installer does not support disk encryption, but manually setting this up by hand is pretty straightforward. On the other hand, manually setting up your partitions by hand allows extra freedom and flexibility, and so I have chosen a simple luks-encrypted / partition formatted xfs.

As far as swap is concerned, my preference is to use a swap file instead of a swap partition. Having a swap file instead of a swap partition is more flexible because obviously you can easily recreate a different size swap file whenever you like (or use none at all), and the encryption requires no extra set up because the / partition is encrypted anyway.

Will this work with a dual-boot set up? Of course! Because you have to manually configure the partitions anyway, just arrange them exactly how you would need for dual-boot.

Assumes uefi-configured boot, with separate partitions for /boot formatted ext4, /boot/efi formatted fat32, and a regular luks-encrypted partition for / formatted xfs.

Prepare The Installation Media

Visit the Linux Mint Website{target=_blank} and download{target=_blank} the iso file for LMDE 3 64bit. Download from torrents if possible, to save bandwidth.

  • verify the sha256 sum of the iso file
sha256sum lmde-3-201808-cinnamon-64bit.iso

Identify the thumb drive you are going to install from.

  • type lsblk, note the output, and then insert the thumb drive
  • then type lsblk again and note the additional output
# lsblk /dev/sdb
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:32 1 14.5G 0 disk
├─sdb1 8:33 1 3.4G 0 part /media/trent/Debian 9.6.0 amd64
└─sdb2 8:34 1 416K 0 part

In the above example output we see that our thumb drive is identified as /dev/sdb, and partition /dev/sdb1 is automatically mounted.

Take special care that you have accurately identified the thumb drive before proceeding. For the sake of example, we will proceed on the assumption that our thumb drive is identified as /dev/sdb, but you need to compensate accordingly.

  • unmount any partition of the thumb drive that are automatically mounted
umount /dev/sdb1
  • write the disk image to the thumb drive
ddrescue -D --force lmde-3-201808-cinnamon-64bit.iso /dev/sdb

Boot The Install Disc

  • boot into bios to disable fastboot and secureboot
  • invoke your machine's device boot menu and boot the install disc in uefi mode
  • confirm that you have booted in uefi mode by listing efivars
ls /sys/firmware/efi/vars

Partition The Hard Drive

If you recall we are assuming the target hard drive is /dev/sda, as an example. So, make adjustments as necessary.

If you would rather use a different partition tool, make sure the efi partition is an efi partition type, and you definitely need a separate /boot partition.

  1. if needed you can clear the drive with wipefs
wipefs --all /dev/sda
  1. create a new partition table for /dev/sda
sgdisk /dev/sda -o
  1. create a new efi partition for /dev/sda
sgdisk /dev/sda --new=1::+512MiB --typecode=1:ef00
  1. create a new /boot partition for /dev/sda
sgdisk /dev/sda --new=2::+1G
  1. create a new / partition for /dev/sda
sgdisk /dev/sda --new=3
  1. verify your partition work
sgdisk /dev/sda -p
  1. format the efi partition
mkfs.vfat -F32 /dev/sda1
  1. format the /boot partition
mkfs.ext4 /dev/sda2
  1. encrypt the / partition, you will be prompted for a password
cryptsetup -y -v luksFormat --type luks2 /dev/sda3
  1. decrypt the / partition, you will be prompted for a password
cryptsetup open /dev/sda3 cryptroot
  1. format the / device
mkfs.xfs /dev/mapper/cryptroot

Mount The Hard Drive

This takes advantage of expert mode in the LMDE installer.

  1. create an /target directory
mkdir /target
  1. mount the / device at /target
mount /dev/mapper/cryptroot /target
  1. create an /target/boot directory
mkdir /target/boot
  1. mount the /boot partition at /target/boot
mount /dev/sda2 /target/boot
  1. create an /target/boot/efi directory
mkdir /target/boot/efi
  1. mount the efi partition at /target/boot/efi
mount /dev/sda1 /target/boot/efi

Run The Installer App

At this point you're ready to run the live installer. You can click the disc icon on the desktop.

The first three pages of the live-installer cover Language,Timezone, and Keymap. The fourth page of the live-installer covers name, password, and hostname. On the fifth page of the live-installer, you come to a partition configuration page. But there is nothing to do, so select expert mode at the bottom of the page.

Again select forward, and when you come to the page where you configure the location to install grub, that should be the efi partition, i.e. /dev/sda1.

Select forward one more time, and then select install. The installation will run for a few minutes and will then pause. During the pause you need to manually configure fstab and crypttab.

Configure Fstab

  1. find the UUID of the efi partition
blkid /dev/sda1 -s UUID
  1. find the UUID of the /boot partition
blkid /dev/sda2 -s UUID
  1. find the UUID of the / device
blkid /dev/mapper/cryptroot -s UUID

And when you find the correct UUID numbers, use them to configure /etc/fstab which is actually currently at /target/etc/fstab.

# /etc/fstab
###############
# efi partition
# run the command `blkid /dev/sda1 -s UUID` which outputs
# /dev/sda1: UUID="17C4-215D", from which derive
UUID=17C4-215D /boot/efi vfat defaults 0 2

# /boot partition
# run the command `blkid /dev/sda2 -s UUID` which outputs
# /dev/sda2: UUID="f2509fff-4854-4721-b546-0274c89e6aec", from which derive
UUID=f2509fff-4854-4721-b546-0274c89e6aec /boot ext4 defaults 0 2

# "/" device
# run the command `blkid /dev/mapper/cryptroot -s UUID` which outputs
# /dev/mapper/cryptroot: UUID="72241377-cd65-43a6-8363-1afce5bd93f6", from which derive
UUID=72241377-cd65-43a6-8363-1afce5bd93f6 / xfs defaults 0 1

Configure Crypttab

But before the file systems can be mounted, crypttab needs to mount /dev/sda3 at /dev/mapper/cryptroot. Configure /etc/crypttab which is actually currently at /target/etc/crypttab

  • find the UUID of the partition that will be mounted at /dev/mapper/crypttab
blkid /dev/sda3 -s UUID

And when you find the correct UUID number for /dev/sda3, use that to configure /etc/crypttab which is actually currently at /target/etc/crypttab.

# /etc/crypttab
# run the command `blkid /dev/sda3 -s UUID` which outputs
# /dev/sda3: UUID="da3e0967-711f-4159-85ac-7d5743a75201", from which derive
# <target name> <source device> <key file> <options>
cryptroot UUID=da3e0967-711f-4159-85ac-7d5743a75201 none luks

Resume Installer App

At this point finish running the live installer, and you'll be done.

UEFI Fix

On some machines, such as HP Laptops, UEFI is broken and efi boot entries don't persist.

  1. remount the efi parition
mount /dev/sda1 /mnt/ ; cd /mnt/EFI/
  1. create a default efi executable
mkdir BOOT ; cp linuxmint/grubx64.efi BOOT/BOOTX64.efi

Optional Swap File

Visit the Arch Wiki{target=_blank} and they will hook you up.