HomeArchive

Install Linux Mint Debian Edition (LMDE 6) in Expert Mode

Last edited on 2024-10-01 Tagged under  #lmde   #debian   #linux   #encrypt 

Linux Mint Debian Edition

I like to create encrypted storage space to hold the contents of my home directory that is separate from the encrypted space that contains the root filesystem. This makes it easier if I decide to re-install Linux on the target system while preserving user data.

During an install of LMDE 6 aka "Faye" - if you select the option to automatically erase and partition the disk using LUKS (Linux Unified Key Setup) - the installer creates a single encrypted partition formatted with LVM (Logical Volume Manager) containing two "virtual partitions" (Logical Volumes or LVs): a swap LV, and a root LV that uses all remaining disk storage. There is no option to add a home LV to the automatic schema.

Previously I would resize the root LV to make room for a home LV, but in my daily use I've found LVM to be an extra layer of complexity whose benefits - such as resizing and/or creating new LVs - I never end up using. More significantly, LVM makes re-installing the OS while preserving the contents of home much more complicated on LMDE (which again is different than how its done on the Ubuntu-based Linux Mint).

My preferred alternative: LMDE offers an expert-mode install option that is considerably more flexible in handling a custom partition layout of disk storage. I use live-installer-expert-mode and create separate encrypted partitions for root and home sans LVM.

This is how I do it...

1. Let's go!

1.1 Setup

  • Target device is 64-bit architecture
  • UEFI boot with GRUB as bootloader
  • LMDE is the sole OS on a single disk (example: sda)
  • In lieu of creating a separate swap partition, after the install I configure zram swap
  • GPT partition table with 4 partitions:
    • sda1 = Size: 300MB; Format: vfat; Use as: EFI system partition
    • sda2 = Size: 1GB; Format: ext4; Use as: bootloader
    • sda3 = Size: 64GB; Format: luks; Use as: encrypted partition
      • Device: /dev/mapper/root; Format: ext4; Use as: root device
    • sda4 = Size: ->END; Format: luks; Use as: encrypted partition
      • Device: /dev/mapper/home; Format: ext4; Use as: home device

1.2 Download

The latest live ISO 64bit install images are available here: Torrents and download mirrors Download lmde-6-cinnamon-64bit.iso and sha256sum.txt.

On a Linux-based system, verify the image by running:

$ sha256sum -c --ignore-missing sha256sum.txt
lmde-6-cinnamon-64bit.iso: OK

1.3 Prepare install media

Prepare a USB storage drive as an installer using one of these two methods:

Method 1: Ventoy

I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Read more

Method 2: dd

Write the installer to an unmounted USB storage device using the dd command as root.

BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.

Example: On a Linux system, if a USB stick appears as sdx1, then write the installer to sdx (no partition number):

$ sudo dd if=/path/to/lmde-6-cinnamon-64bit.iso of=/dev/sdX bs=1M
$ sync

2. Configure live environment

2.1 Boot and switch to root

Connect LMDE install media to the computer and boot to desktop. Open a terminal and switch to a root shell:

$ sudo -i

2.2 Confirm EFI support

# dmesg | grep -i efivars
[    0.301784] Registered efivars operations

2.3 Define DISK variables

Identify the disk where LMDE will be installed by listing block devices:

# lsblk -f

Set DISK variables for either a SATA or NVMe device:

SATA (example: sda)

# DISK="/dev/sda"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}${EFI_PART}"
# BOOT_DISK="${DISK}${BOOT_PART}"
# ROOT_DISK="${DISK}${ROOT_PART}"
# HOME_DISK="${DISK}${HOME_PART}"

NVMe (example: nvme0n1)

# DISK="/dev/nvme0n1"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}p${EFI_PART}"
# BOOT_DISK="${DISK}p${BOOT_PART}"
# ROOT_DISK="${DISK}p${ROOT_PART}"
# HOME_DISK="${DISK}p${HOME_PART}"

3. Prepare DISK

3.1 Wipe DISK

Before creating the new partition layout, wipe the DISK:

# wipefs -af $DISK
# sgdisk --zap-all --clear $DISK
# partprobe $DISK && sgdisk -p $DISK

NOTE: If LVM was previously used on the drive, this might fail with an error such as Device or resource busy. This is because the volume group might have gotten set up on boot. In such cases, bring it down with:

# vgchange -an

After that, wipefs -af should work.

3.2 Partition DISK

List partition type codes:

# sgdisk --list-types

Create EFI system partition:

# sgdisk -n "${EFI_PART}:1m:+300m" -t "${EFI_PART}:ef00" -c 0:esp $DISK

Create boot partition:

# sgdisk -n "${BOOT_PART}:0:+1g" -t "${BOOT_PART}:8300" -c 0:boot $DISK

Create root partition:

# sgdisk -n "${ROOT_PART}:0:+64g" -t "${ROOT_PART}:8309" -c 0:root $DISK

Create home partition:

# sgdisk -n "${HOME_PART}:0:-10m" -t "${HOME_PART}:8309" -c 0:home $DISK

Display layout:

# partprobe $DISK && sgdisk -p $DISK

4. Encryption and file systems

4.1 Encrypt root partition

NOTE: Volume is opened and mapped to /dev/mapper/root, as suggested by the Discoverable Partitions Specification.

# cryptsetup luksFormat --type luks2 -y $ROOT_DISK
# cryptsetup open $ROOT_DISK root

Set variable for root device:

# ROOT_DEV="/dev/mapper/root"

4.2 Encrypt home partition

NOTE: At boot, the system prompts for the passphrase to unlock root and systemd-ask-password caches the passphrase, and will use it to try and unlock home, only prompting for a passphrase if it fails.

In short, use the same passphrase for both root and home. It saves having to enter a passphrase twice or create a keyfile. See: Why is my LUKS partition mounted without asking for a passphrase?

# cryptsetup luksFormat --type luks2 -y $HOME_DISK
# cryptsetup open $HOME_DISK home

Set variable for home device:

# HOME_DEV="/dev/mapper/home"

4.3 Create file systems

NOTE: Labels are optional, but helpful. They allow for easy mounting without a UUID.

# mkfs.vfat -n ESP $EFI_DISK
# mkfs.ext4 -L bootfs $BOOT_DISK
# mkfs.ext4 -L rootfs $ROOT_DEV
# mkfs.ext4 -L homefs $HOME_DEV

5. Install LMDE

5.1 Expert Mode

Open a new tab in the terminal. Launch the LMDE installer in -expert-mode:

$ sudo live-installer-expert-mode

Proceed as normal up to Installation Type. Select Manual Partitioning.

Manual partitioning

In the Partitioning window, click Expert mode.

Before continuing, we mount our target filesystems on /target.

Expert mode

5.2 Mount file systems

Switch back to the root terminal. Mount the previously created filesystems:

# mount --mkdir LABEL=rootfs /target
# mount --mkdir LABEL=homefs /target/home
# mount --mkdir LABEL=bootfs /target/boot
# mount --mkdir LABEL=ESP /target/boot/efi

5.3 Install

Switch back to the installer window and click Next. Proceed to Summary and confirm:

  • Home encryption: disabled (entire partition is LUKS-encrypted)
  • Install bootloader on /dev/<storage_device> (example: /dev/sda with no partition number)
  • Use already mounted /target

When satisfied, click Install.

LMDE install proceeds as per usual up to Installation paused.

Installation paused

Do the following before continuing the install:

Installation paused 2

5.4 Configure fstab

Set filesystems that will be mounted at boot:

# echo "LABEL=ESP     /boot/efi   vfat  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=bootfs  /boot       ext4  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=rootfs  /           ext4  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=homefs  /home       ext4  defaults  0 2" >> /target/etc/fstab

5.5 Configure crypttab

Set root and home to be opened at boot:

# echo "root PARTLABEL=root none luks,discard" >> /target/etc/crypttab
# echo "home PARTLABEL=home none luks,discard" >> /target/etc/crypttab

6. Finish up

6.1 Complete installation

Switch back to installer window and click Next to complete installation.

When prompted Do you want to restart your computer to use the new system? choose No.

Installation finished

6.2 Unmount partitions

NOTE: /target/boot/efi and /target/boot are auto-unmounted by the installer.

# umount /target/home
# umount -l -n -R /target

6.3 Remove encrypted device mapping

# cryptsetup close home
# cryptsetup close root

Reboot system.

6.4 First boot

User is prompted for the passphrase to unlock the encrypted partition(s). Upon success, boot resumes...

Welcome to LMDE!

7. Resources

  • Create a high-speed swap device in RAM: Zram swap
  • My bash script to configure a device after a fresh install of LMDE: MintyFresh

You can like, share, or comment on this post on Mastodon 💬

Thanks for reading! Read other posts?

» Next: Zram swap on Debian and LMDE

« Previous: Install Debian Bookworm with encrypted Root-on-ZFS