Home→Archive↴

Install Linux Mint Debian Edition (LMDE 6) in Expert Mode

Last edited on 2025-08-01 • Tagged under  #lmde   #debian   #linux   #encrypt 

I like to create encrypted storage space to hold the contents of my home directory that is separate from the encrypted space that contains the root filesystem. This makes it easier if I decide to re-install Linux on the target system while preserving user data.

During an install of LMDE 6 aka "Faye" - if you select the option to automatically erase and partition the disk using LUKS (Linux Unified Key Setup) - the installer creates a single encrypted partition formatted with LVM (Logical Volume Manager) containing two "virtual partitions" (Logical Volumes or LVs): a swap LV, and a root LV that uses all remaining disk storage. There is no option to add a home LV to the automatic schema.

Previously I would resize the root LV to make room for a home LV, but in my daily use I've found LVM to be an extra layer of complexity whose benefits - such as resizing and/or creating new LVs - I never end up using. More significantly, LVM makes re-installing the OS while preserving the contents of home much more complicated on LMDE (which again is different than how its done on the Ubuntu-based Linux Mint).

My preferred alternative: LMDE offers an expert-mode install option that is considerably more flexible in handling a custom partition layout of disk storage. I use live-installer-expert-mode and create separate encrypted partitions for root and home sans LVM.

• 1. Start Here
  • 1.1 Download install image
  • 1.2 Prepare USB install media
• 2. Live Environment
  • 2.1 Switch to root
  • 2.2 Confirm EFI support
  • 2.3 Define DISK variables
• 3. Prepare DISK
  • 3.1 Wipe DISK
  • 3.2 Partition DISK
• 4. Encryption and File Systems
  • 4.1 Encrypt root partition
  • 4.2 Encrypt home partition
  • 4.3 Create file systems
• 5. Install LMDE
  • 5.1 Expert mode
  • 5.2 Mount file systems
  • 5.3 Install
  • 5.4 Configure fstab
  • 5.5 Configure crypttab
• 6. Finish Up
  • 6.1 Complete installation
  • 6.2 Unmount partitions
  • 6.3 Remove encrypted device mapping
  • 6.4 First Boot
• 7. Resources

1. Start Here

This guide makes a few assumptions:

• Target device is 64-bit architecture
• System use UEFI to boot with GRUB as bootloader
• LMDE install media prepared on a Linux/BSD system
• LMDE is the sole OS on a single disk (example: sda)
• Network access during install uses a LMDE supported wired interface
• In lieu of creating a separate swap partition, after the install I configure zram swap
• GPT partition table with 4 partitions:

1.1 Download install image

The latest live ISO 64bit install images are available here: Torrents and download mirrors Download lmde-6-cinnamon-64bit.iso and sha256sum.txt.

On a Linux- or BSD-based system, verify the image by running:

$ sha256sum -c --ignore-missing sha256sum.txt

1.2 Prepare USB install media

Prepare a USB storage drive as an installer using one of these two methods:

Method 1: Ventoy

I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Read more

Method 2: dd

Write the installer to an unmounted USB storage device using the dd command as root.

WARNING
Be very careful to note the proper device. All contents on the device will be lost!

Example: On a Linux system, if a USB stick appears as sdx1, then write the installer to sdx (no partition number):

$ sudo dd if=/path/to/lmde-6-cinnamon-64bit.iso of=/dev/sdX bs=1M
$ sync

2. Live Environment

Insert the USB install stick into the target device and boot to desktop.

2.1 Switch to root

Open a terminal and switch to a root shell:

$ sudo -i

2.2 Confirm EFI support

# dmesg | grep -i efivars
[    0.301784] Registered efivars operations

2.3 Define DISK variables

Identify the disk where LMDE will be installed by listing block devices:

# lsblk -f

Set DISK variables for either a SATA or NVMe device:

SATA (example: sda)

# DISK="/dev/sda"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}${EFI_PART}"
# BOOT_DISK="${DISK}${BOOT_PART}"
# ROOT_DISK="${DISK}${ROOT_PART}"
# HOME_DISK="${DISK}${HOME_PART}"

NVMe (example: nvme0n1)

# DISK="/dev/nvme0n1"
# EFI_PART="1"
# BOOT_PART="2"
# ROOT_PART="3"
# HOME_PART="4"
# EFI_DISK="${DISK}p${EFI_PART}"
# BOOT_DISK="${DISK}p${BOOT_PART}"
# ROOT_DISK="${DISK}p${ROOT_PART}"
# HOME_DISK="${DISK}p${HOME_PART}"

3. Prepare DISK

3.1 Wipe DISK

Before creating the new partition layout, wipe the DISK:

# wipefs -af $DISK
# sgdisk --zap-all --clear $DISK
# partprobe $DISK && sgdisk -p $DISK

NOTE
If LVM was previously used on the drive, this might fail with an error such as Device or resource busy. This is because the volume group might have gotten set up on boot. In such cases, bring it down with:

# vgchange -an

After that, wipefs -af should work.

3.2 Partition DISK

List partition type codes:

# sgdisk --list-types

Create EFI system partition:

# sgdisk -n "${EFI_PART}:1m:+300m" -t "${EFI_PART}:ef00" -c 0:esp $DISK

Create boot partition:

# sgdisk -n "${BOOT_PART}:0:+2g" -t "${BOOT_PART}:8300" -c 0:boot $DISK

Create root partition:

# sgdisk -n "${ROOT_PART}:0:+64g" -t "${ROOT_PART}:8309" -c 0:root $DISK

Create home partition:

# sgdisk -n "${HOME_PART}:0:0" -t "${HOME_PART}:8309" -c 0:home $DISK

Display layout:

# partprobe $DISK && sgdisk -p $DISK

4. Encryption and File Systems

4.1 Encrypt root partition

NOTE
Volume is opened and mapped to /dev/mapper/root, as suggested by the Discoverable Partitions Specification.

# cryptsetup luksFormat --type luks2 -y $ROOT_DISK
# cryptsetup open $ROOT_DISK root

Set variable for root device:

# ROOT_DEV="/dev/mapper/root"

4.2 Encrypt home partition

At boot, the system prompts for the passphrase to unlock root and systemd-ask-password caches the passphrase, and will use it to try and unlock home, only prompting for a passphrase if it fails.

In short, use the same passphrase for both root and home. It saves having to enter a passphrase twice or create a keyfile.

Read more: Why is my LUKS partition mounted without asking for a passphrase?

# cryptsetup luksFormat --type luks2 -y $HOME_DISK
# cryptsetup open $HOME_DISK home

Set variable for home device:

# HOME_DEV="/dev/mapper/home"

4.3 Create file systems

Labels are optional, but helpful. They allow for easy mounting without a UUID:

# mkfs.vfat -n ESP $EFI_DISK
# mkfs.ext4 -L bootfs $BOOT_DISK
# mkfs.ext4 -L rootfs $ROOT_DEV
# mkfs.ext4 -L homefs $HOME_DEV

5. Install LMDE

5.1 Expert Mode

Open a new tab in the terminal. Launch the LMDE installer in -expert-mode:

$ sudo live-installer-expert-mode

Proceed as normal up to Installation Type. Select Manual Partitioning.

In the Partitioning window, click Expert mode.

Before continuing, we mount our target filesystems on /target.

5.2 Mount file systems

Switch back to the root terminal. Mount the previously created filesystems:

# mount --mkdir LABEL=rootfs /target
# mount --mkdir LABEL=homefs /target/home
# mount --mkdir LABEL=bootfs /target/boot
# mount --mkdir LABEL=ESP /target/boot/efi

5.3 Install

Switch back to the installer window and click Next. Proceed to Summary and confirm:

• Home encryption: disabled (entire partition is LUKS-encrypted)
• Install bootloader on /dev/<storage_device> (example: /dev/sda with no partition number)
• Use already mounted /target

When satisfied, click Install.

LMDE install proceeds as per usual up to Installation paused.

Do the following before continuing the install:

5.4 Configure fstab

Set filesystems that will be mounted at boot:

# echo "LABEL=ESP     /boot/efi   vfat  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=bootfs  /boot       ext4  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=rootfs  /           ext4  defaults  0 1" >> /target/etc/fstab
# echo "LABEL=homefs  /home       ext4  defaults  0 2" >> /target/etc/fstab

5.5 Configure crypttab

Set root and home to be opened at boot:

# echo "root PARTLABEL=root none luks,discard" >> /target/etc/crypttab
# echo "home PARTLABEL=home none luks,discard" >> /target/etc/crypttab

6. Finish up

6.1 Complete installation

Switch back to installer window and click Next to complete installation.

When prompted Do you want to restart your computer to use the new system? choose No.

6.2 Unmount partitions

NOTE
Partitions /target/boot/efi and /target/boot are auto-unmounted by the installer.

# umount /target/home
# umount -l -n -R /target

6.3 Remove encrypted device mapping

# cryptsetup close home
# cryptsetup close root

Reboot system.

6.4 First boot

User is prompted for the passphrase to unlock the encrypted partition(s). Upon success, boot resumes...

Welcome to LMDE!

7. Resources

• Create a high-speed swap device in RAM: Zram swap
• My bash script to configure a device after a fresh install of LMDE: MintyFresh

You can like, share, or comment on this post on Mastodon 💬

» Next: Manual NetBSD Installation with Disk Encryption

« Previous: Install NetBSD (Short and Sweet Version)