Linux Mint 16 Install With LUKS on LVM

Fedora has been my go-to Linux distribution since before it was Fedora, way back when there simply was Red Hat Linux. I was always happy with it, but in the past few years, I’ve had less time to deal with its quirks and bugs (Fedora is, by design, more bleeding-edge and less stable than RHEL), and after the Gnome-pocalypse hit, to deal with KDE, which just wasn’t my speed.

Searching for alternative distributions, I found Linux Mint and Cinnamon – a new desktop using GTK+3. Ten minutes after running a live-DVD, I was sold, and it was time to wipe the slate clean and set up my new system. And while I don’t normally wear a tin-foil hat I did want to encrypt my new system, which led me to do a lot of reading and learning about some twists and gotcha’s, which I am documenting here in the hope they can be useful to someone else.

The most useful material I found out there was from ArchLinux, generally a super source of Linux documentation, even when not all of it is applicable to other distributions and tools. There are also blog posts dealing specifically with Mint and encryption, though the schemes used there are slightly different (LVM on LUKS).

My system has a SSD drive, and I was also adding a new (higher-capacity) HDD to mount as /home. Obviously the idea there is that I can easily reinstall the OS on the SSD without messing with my personal data. I used SystemRescueCD to partition and format the drives, before even booting into the Linux Mint DVD.

Using gdisk, lvm, mkfs and luksCreate, I set up the structure for my system as I envisioned, which was fairly simple, though there is certainly a level of nesting inherent here that adds some complexity:

Rough sketch of what a LUKS-on-LVM setup could look like
Rough sketch of what a LUKS-on-LVM setup could look like

/dev/sda1 is the EFI boot partition, necessary if one wants to boot via UEFI instead of the traditional MBR scheme. Seeing how this was something new to learn, I decided to go that route, though it tripped me up a little later. /dev/sda2 was a traditional Linux boot partition, while the rest of the space on my SSD was dedicated to a LVM volume, which in turn housed a LUKS container, protected by a secret passphrase of my choosing. /dev/sdb, my hard drive, had but a single LVM volume with a LUKS container.

Once the foundation was built, it was time to run the Linux Mint DVD and start the installer. This was after of course mounting my target LUKS device with cryptsetup luksOpen, which was conveniently already available on the Live-DVD. This is where I ran into my first snag, a snag that actually didn’t have anything to do with encryption, but with installing the bootloader in the GPT boot partition: I was unable to select my GPT bootloader partition as the location for the EFI.

When booting the Linux Mint DVD before installation, it has to be booted using UEFI! This was an option in the UEFI interface for my ASUS P8Z77 board.

Once I’d figured that out, I could pick out the proper devices for the EFI bootloader as well as the /, /boot and /home mount points. Once the installer finished, I opened a shell and chroot‘d to the installation and set up /etc/crypttab and /etc/fstab as follows:

# /etc/crypttab
root /dev/mapper/vg_system-lv_root none luks
home /dev/mapper/vg_data-lv_home /etc/luks-keys/home.key luks

# /etc/fstab: static file system information.
# Use ‘blkid’ to print the universally unique identifier for a
# device; this may be used with “”””UUID”””” = as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
/dev/sda1 /boot/efi vfat defaults 0 1
/dev/sda2 /boot ext4 defaults 0 2
/dev/mapper/root / ext4 errors=remount-ro 0 1
/dev/mapper/home /home ext4 defaults 0 2
tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,size=4G 0 0

This is where I became a little confused, having been reading the ArchLinux wiki and its references to mkinitcpio. Since Linux Mint uses GRUB as its default bootloader, a different set of commands were called for, namely update-initramfs. To build the initial boot image such that it opens the right LUKS container and mounts it at /, I ran update-initramfs -u -k all.

The boot sequence, as I understand it, is as follows:

  1. The PC’s UEFI runs, reads the GPT partition table to identify the bootloader partition, finding the GRUB executable installed there, loads it into memory and begins its execution.
  2. This GRUB executable mounts the /boot partition (which is not encrypted), loads the initramfs image found there, which bootstraps the rest of the startup process. Since that image was rebuilt with my settings from /etc/crypttab (done by running update-initramfs -u -k all), it knows to open a LUKS container provided by /dev/mapper/vg_system-lv_root (prompting me for a passphrase), which becomes /dev/mapper/root (root being the name I chose in /etc/crypttab). /etc/fstab then instructs the system to mount that at /, and the root filesystem is prepared.
  3. The LUKS container “home” is opened using the key in the now accessible root filesystem, and becomes /dev/mapper/home, which is mounted at /home.

With all this configured, I exited the chroot jail, removed the DVD, and finally rebooted. I was greeted with an uncaptioned input box for my passphrase. Once entered correctly, my system came up properly and surprisingly with no issues or problems. Still left for me to do is to encrypt my swap partition, but that’s on the back-burner for now and should be simple.

So far, I’ve been extremely happy with my Mint install and don’t see me going back to Fedora anytime soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>