Install Linux Mint Debian Edition (LMDE 6) in Expert Mode
I like to create encrypted storage space to hold the contents of my home
directory that is separate from the encrypted space that contains the root
filesystem. This makes it easier if I decide to re-install Linux on the target system while preserving user data.
During an install of LMDE 6 aka "Faye" - if you select the option to automatically erase and partition the disk using LUKS (Linux Unified Key Setup) - the installer creates a single encrypted partition formatted with LVM (Logical Volume Manager) containing two "virtual partitions" (Logical Volumes or LVs): a swap
LV, and a root
LV that uses all remaining disk storage. There is no option to add a home
LV to the automatic schema.
Previously I would resize the root
LV to make room for a home LV, but in my daily use I've found LVM to be an extra layer of complexity whose benefits - such as resizing and/or creating new LVs - I never end up using. More significantly, LVM makes re-installing the OS while preserving the contents of home
much more complicated on LMDE (which again is different than how its done on the Ubuntu-based Linux Mint).
My preferred alternative: LMDE offers an expert-mode install option that is considerably more flexible in handling a custom partition layout of disk storage. I use live-installer-expert-mode
and create separate encrypted partitions for root
and home
sans LVM.
- 1. Start Here
- 2. Live Environment
- 3. Prepare DISK
- 4. Encryption and File Systems
- 5. Install LMDE
- 6. Finish Up
- 7. Resources
1. Start Here
This guide makes a few assumptions:
- Target device is
64-bit
architecture - System use UEFI to boot with GRUB as bootloader
- LMDE install media prepared on a Linux/BSD system
- LMDE is the sole OS on a single disk (example: sda)
- Network access during install uses a LMDE supported wired interface
- In lieu of creating a separate
swap
partition, after the install I configure zram swap - GPT partition table with 4 partitions:
Partition | Size | Format | Use as |
---|---|---|---|
sda1 | 300MB | vfat | EFI system partition |
sda2 | 2GB | ext4 | bootloader |
sda3 | 64GB | luks | encrypted partition (root device) |
sda4 | ->END | luks | encrypted partition (home device) |
1.1 Download install image
The latest live ISO 64bit
install images are available here: Torrents and download mirrors
Download lmde-6-cinnamon-64bit.iso
and sha256sum.txt
.
On a Linux- or BSD-based system, verify the image by running:
$ sha256sum -c --ignore-missing sha256sum.txt
1.2 Prepare USB install media
Prepare a USB storage drive as an installer using one of these two methods:
Method 1: Ventoy
I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Read more
Method 2: dd
Write the installer to an unmounted USB storage device using the dd
command as root.
WARNING
Be very careful to note the proper device. All contents on the device will be lost!
Example: On a Linux system, if a USB stick appears as sdx1
, then write the installer to sdx
(no partition number):
$ sudo dd if=/path/to/lmde-6-cinnamon-64bit.iso of=/dev/sdX bs=1M
$ sync
2. Live Environment
Insert the USB install stick into the target device and boot to desktop.
2.1 Switch to root
Open a terminal and switch to a root shell:
$ sudo -i
2.2 Confirm EFI support
# dmesg | grep -i efivars
[ 0.301784] Registered efivars operations
2.3 Define DISK variables
Identify the disk where LMDE will be installed by listing block devices:
# lsblk -f
Set DISK variables for either a SATA or NVMe device:
SATA (example: sda)
# DISK="/dev/sda"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}${EFI_PART}"
# BOOT_DISK="${DISK}${BOOT_PART}"
# ROOT_DISK="${DISK}${ROOT_PART}"
# HOME_DISK="${DISK}${HOME_PART}"
NVMe (example: nvme0n1)
# DISK="/dev/nvme0n1"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}p${EFI_PART}"
# BOOT_DISK="${DISK}p${BOOT_PART}"
# ROOT_DISK="${DISK}p${ROOT_PART}"
# HOME_DISK="${DISK}p${HOME_PART}"
3. Prepare DISK
3.1 Wipe DISK
Before creating the new partition layout, wipe the DISK:
# wipefs -af $DISK
# sgdisk --zap-all --clear $DISK
# partprobe $DISK && sgdisk -p $DISK
NOTE
If LVM was previously used on the drive, this might fail with an error such as Device or resource busy
. This is because the volume group might have gotten set up on boot. In such cases, bring it down with:
# vgchange -an
After that, wipefs -af
should work.
3.2 Partition DISK
List partition type codes:
# sgdisk --list-types
Create EFI system partition:
# sgdisk -n "${EFI_PART}:1m:+300m" -t "${EFI_PART}:ef00" -c 0:esp $DISK
Create boot partition:
# sgdisk -n "${BOOT_PART}:0:+2g" -t "${BOOT_PART}:8300" -c 0:boot $DISK
Create root partition:
# sgdisk -n "${ROOT_PART}:0:+64g" -t "${ROOT_PART}:8309" -c 0:root $DISK
Create home partition:
# sgdisk -n "${HOME_PART}:0:0" -t "${HOME_PART}:8309" -c 0:home $DISK
Display layout:
# partprobe $DISK && sgdisk -p $DISK
4. Encryption and File Systems
4.1 Encrypt root partition
NOTE
Volume is opened and mapped to /dev/mapper/root
, as suggested by the Discoverable Partitions Specification.
# cryptsetup luksFormat --type luks2 -y $ROOT_DISK
# cryptsetup open $ROOT_DISK root
Set variable for root device:
# ROOT_DEV="/dev/mapper/root"
4.2 Encrypt home partition
At boot, the system prompts for the passphrase to unlock root
and systemd-ask-password
caches the passphrase, and will use it to try and unlock home
, only prompting for a passphrase if it fails.
In short, use the same passphrase for both root
and home
. It saves having to enter a passphrase twice or create a keyfile.
Read more: Why is my LUKS partition mounted without asking for a passphrase?
# cryptsetup luksFormat --type luks2 -y $HOME_DISK
# cryptsetup open $HOME_DISK home
Set variable for home device:
# HOME_DEV="/dev/mapper/home"
4.3 Create file systems
Labels are optional, but helpful. They allow for easy mounting without a UUID:
# mkfs.vfat -n ESP $EFI_DISK
# mkfs.ext4 -L bootfs $BOOT_DISK
# mkfs.ext4 -L rootfs $ROOT_DEV
# mkfs.ext4 -L homefs $HOME_DEV
5. Install LMDE
5.1 Expert Mode
Open a new tab in the terminal. Launch the LMDE installer in -expert-mode
:
$ sudo live-installer-expert-mode
Proceed as normal up to Installation Type
. Select Manual Partitioning
.

In the Partitioning
window, click Expert mode
.
Before continuing, we mount our target filesystems on /target
.

5.2 Mount file systems
Switch back to the root terminal. Mount the previously created filesystems:
# mount --mkdir LABEL=rootfs /target
# mount --mkdir LABEL=homefs /target/home
# mount --mkdir LABEL=bootfs /target/boot
# mount --mkdir LABEL=ESP /target/boot/efi
5.3 Install
Switch back to the installer window and click Next
. Proceed to Summary
and confirm:
Home encryption: disabled
(entire partition is LUKS-encrypted)Install bootloader on /dev/<storage_device>
(example:/dev/sda
with no partition number)Use already mounted /target
When satisfied, click Install
.
LMDE install proceeds as per usual up to Installation paused
.

Do the following before continuing the install:

5.4 Configure fstab
Set filesystems that will be mounted at boot:
# echo "LABEL=ESP /boot/efi vfat defaults 0 1" >> /target/etc/fstab
# echo "LABEL=bootfs /boot ext4 defaults 0 1" >> /target/etc/fstab
# echo "LABEL=rootfs / ext4 defaults 0 1" >> /target/etc/fstab
# echo "LABEL=homefs /home ext4 defaults 0 2" >> /target/etc/fstab
5.5 Configure crypttab
Set root
and home
to be opened at boot:
# echo "root PARTLABEL=root none luks,discard" >> /target/etc/crypttab
# echo "home PARTLABEL=home none luks,discard" >> /target/etc/crypttab
6. Finish up
6.1 Complete installation
Switch back to installer window and click Next
to complete installation.
When prompted Do you want to restart your computer to use the new system?
choose No
.

6.2 Unmount partitions
NOTE
Partitions /target/boot/efi
and /target/boot
are auto-unmounted by the installer.
# umount /target/home
# umount -l -n -R /target
6.3 Remove encrypted device mapping
# cryptsetup close home
# cryptsetup close root
Reboot system.
6.4 First boot
User is prompted for the passphrase to unlock the encrypted partition(s). Upon success, boot resumes...
Welcome to LMDE!
7. Resources
- Create a high-speed swap device in RAM: Zram swap
- My bash script to configure a device after a fresh install of LMDE: MintyFresh
You can like, share, or comment on this post on Mastodon 💬
» Next: Manual NetBSD Installation with Disk Encryption
« Previous: Install NetBSD (Short and Sweet Version)