9.6 KiB
title | date | draft | tags | summaryimage | summaryimagew | summaryimageh | authors | |||
---|---|---|---|---|---|---|---|---|---|---|
LMDE4 Custom Partitions Disk Encryption | 2020-12-15 | false |
|
Screenshot31.png | 754 | 700 |
|
date: 2020-12-15
Introduction
Linux Mint Debian Edition is the alternate version of Linux Mint, but built on a Debian base. The result is quite pleasant: the stability of desktop Debian, but with the rough edges polished smooth, nicely configured fonts and ui, and all the multi-media codecs included.
Previously, I wrote a guide for installing LMDE3 with disk encryption{target=_blank}. The installer for LMDE 4 is different in that it includes support for disk encryption, but not if you need custom partitions such as for a dual-boot configuration.
With this in mind, the examples presented below assume that you have Windows 10 installed in 4 partitions, and
thus you would want to make 3 partitions (5,6,7) after that, for LMDE4.
As with before, with separate partitions for /boot
formatted ext4, /boot/efi
formatted fat32,
and a regular luks-encrypted partition for /
formatted xfs.
With a separate efi partition for LMDE4, you can then use the computer's device boot menu to select which efi boot entry you want to boot. There is also an advantage in having Windows use the first efi partition, in that if something happens to the Windows efi boot entry, you can fall back to the default efi executable. Whereas, if the efi boot entry for Linux somehow gets wiped, you could repair that easily enough via chroot{target=_blank}.
Prepare The Installation Media
Visit the Linux Mint Website{target=_blank} and download{target=_blank} the iso file for LMDE 4 64bit. Download from torrents if possible, to save bandwidth.
- verify the sha256 sum of the iso file
sha256sum lmde-4-cinnamon-64bit.iso
Identify the thumb drive you are going to install from.
- type
lsblk
, note the output, and then insert the thumb drive - then type
lsblk
again and note the additional output
# lsblk /dev/sdb
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:32 1 14.5G 0 disk
├─sdb1 8:33 1 3.4G 0 part /media/trent/Debian 9.6.0 amd64
└─sdb2 8:34 1 416K 0 part
In the above example output we see that our thumb drive is identified as /dev/sdb
, and partition /dev/sdb1
is automatically mounted.
Take special care that you have accurately identified the thumb drive before proceeding. For the sake of example,
we will proceed on the assumption that our thumb drive is identified as /dev/sdb
, but you need to compensate accordingly.
- unmount any partition of the thumb drive that are automatically mounted
umount /dev/sdb1
- write the disk image to the thumb drive
ddrescue -D --force lmde-4-cinnamon-64bit.iso /dev/sdb
Boot The Install Disc
- boot into bios to disable fastboot and secureboot
- invoke your machine's device boot menu and boot the install disc in uefi mode
- confirm that you have booted in uefi mode by listing efivars
ls /sys/firmware/efi/vars
Partition The Hard Drive
If you recall we are assuming the target hard drive is /dev/sda
, as an example. So, make adjustments as necessary.
If you would rather use a different partition tool, make sure the efi partition is an efi partition type, and you definitely need a separate /boot
partition.
If indeed, you are installing a dual-boot and are installing alongside another operating system, then skip steps 1 and 2, obviously.
- if needed you can clear the drive with wipefs
wipefs --all /dev/sda
- create a new partition table for
/dev/sda
sgdisk /dev/sda -o
- create a new efi partition for
/dev/sda
sgdisk /dev/sda --new=5::+512MiB --typecode=1:ef00
- create a new
/boot
partition for/dev/sda
sgdisk /dev/sda --new=6::+1G
- create a new
/
partition for/dev/sda
sgdisk /dev/sda --new=7
- verify your partition work
sgdisk /dev/sda -p
- format the efi partition
mkfs.vfat -F32 /dev/sda5
- format the /boot partition
mkfs.ext4 /dev/sda6
- encrypt the
/
partition, you will be prompted for a password
cryptsetup -y -v luksFormat --type luks2 /dev/sda7
- decrypt the
/
partition, you will be prompted for a password
cryptsetup open /dev/sda7 cryptroot
- format the
/
device
mkfs.xfs /dev/mapper/cryptroot
Mount The Hard Drive
This takes advantage of expert mode in the LMDE installer.
- create an
/target
directory
mkdir /target
- mount the
/
device at/target
mount /dev/mapper/cryptroot /target
- create an
/target/boot
directory
mkdir /target/boot
- mount the
/boot
partition at/target/boot
mount /dev/sda6 /target/boot
- create an
/target/boot/efi
directory
mkdir /target/boot/efi
- mount the efi partition at
/target/boot/efi
mount /dev/sda5 /target/boot/efi
Run The Installer App From Command Line
At this point you're ready to run the live installer. But you need to run the installer from the command line in order to use expert-mode:
live-installer --expert-mode
The first three pages of the live-installer cover Language,Timezone, and Keymap. The fourth page of the live-installer covers name, password, and hostname. After this select manual partitioning.
On the seventh page of the live-installer, you come to a partition configuration page.
But there is nothing to do here. The partition-configuration doesn't even recognize
your encrypted partitions. But no matter, because you have already mounted the target
file system relative to /target/
, so select expert mode at the bottom of the page.
Again select forward, and when you come to the page where you configure the location
to install grub, that should be the efi partition, i.e. /dev/sda5
.
Then continue with the installation. The installation will run for a
few minutes and will then pause. There will be a popup informing you that the installation has paused.
During the pause you need to manually configure fstab
and crypttab
.
Configure Fstab
- find the UUID of the efi partition
blkid /dev/sda5 -s UUID
- find the UUID of the
/boot
partition
blkid /dev/sda6 -s UUID
- find the UUID of the
/
device
blkid /dev/mapper/cryptroot -s UUID
And when you find the correct UUID numbers, use them to configure /etc/fstab
which is actually currently at /target/etc/fstab
.
# /etc/fstab
###############
# efi partition
# run the command `blkid /dev/sda1 -s UUID` which outputs
# /dev/sda5: UUID="17C4-215D", from which derive
UUID=17C4-215D /boot/efi vfat defaults 0 2
# /boot partition
# run the command `blkid /dev/sda2 -s UUID` which outputs
# /dev/sda6: UUID="f2509fff-4854-4721-b546-0274c89e6aec", from which derive
UUID=f2509fff-4854-4721-b546-0274c89e6aec /boot ext4 defaults 0 2
# "/" device
# run the command `blkid /dev/mapper/cryptroot -s UUID` which outputs
# /dev/mapper/cryptroot: UUID="72241377-cd65-43a6-8363-1afce5bd93f6", from which derive
UUID=72241377-cd65-43a6-8363-1afce5bd93f6 / xfs defaults 0 1
Configure Crypttab
But before the file systems can be mounted, crypttab
needs to mount /dev/sda3
at /dev/mapper/cryptroot
.
Configure /etc/crypttab
which is actually currently at /target/etc/crypttab
Sorry, that's actually an over-simplification. But you need to configure crypttab
now,
because when the installer continues running again, it installs the bootloader and builds the initramfs,
and mkinitramfs
parses crypttab
, and builds and configures the initramfs in such a way that it knows
to decrypt your /
partition so it can then hand it off to the kernel at boot time (I think).
- find the UUID of the partition that will be mounted at
/dev/mapper/crypttab
blkid /dev/sda3 -s UUID
And when you find the correct UUID number for /dev/sda3
,
use that to configure /etc/crypttab
which is actually currently at /target/etc/crypttab
.
# /etc/crypttab
# run the command `blkid /dev/sda7 -s UUID` which outputs
# /dev/sda7: UUID="da3e0967-711f-4159-85ac-7d5743a75201", from which derive
# <target name> <source device> <key file> <options>
cryptroot UUID=da3e0967-711f-4159-85ac-7d5743a75201 none luks
Resume Installer App
At this point finish running the live installer, and you'll be done.
UEFI Fix
Well, actually there isn't one. In this scenario having two efi partitions, we rely on the motherboard correctly persisting efi boot entries.
So if you are unlucky enough to have one of the HP laptops that forgets efi boot entries, I guess you are out of luck.
You might try using a single efi partition instead of two, and maybe that will work. Presumably this would require using VeraCrypt for Windows, instead of Bitlocker (because Bitlocker won't allow Grub to load the Windows bootloader?)
Optional Swap File
Visit the Arch Wiki{target=_blank} and they will hook you up.