HomeArchive

Install Linux Mint Debian Edition (LMDE 6) in Expert Mode

Last edited on 2024-04-29 Tagged under  #lmde   #debian   #linux   #luks 

Linux Mint Debian Edition

I like to create encrypted storage space to hold the contents of my home directory that is separate from the space that contains the root filesystem. This makes it easier if I decide to re-install Linux on the target system while preserving user data.

During an install of LMDE 6 "Faye" - if you select the option to automatically erase and partition the disk using LUKS (Linux Unified Key Setup) - the installer creates a single encrypted partition formatted with LVM (Logical Volume Manager) containing two "virtual partitions" (Logical Volumes or LVs): a swap LV, and a root LV that uses all remaining disk storage. There is no option to add a home LV to the automatic schema.

Previously I would resize the root LV to make room for a home LV, but personally I find LVM to be an extra layer of complexity whose benefits - such as resizing and/or creating new LVs - I never end up using. More significantly, LVM makes re-installing the OS while preserving the contents of /home much more complicated on LMDE (which again is different than how its done on the Ubuntu-based Linux Mint).

My preferred alternative: LMDE offers an expert-mode install option that is considerably more flexible in handling a custom partition layout of disk storage. I use the live-installer-expert-mode and create separate LUKS-encrypted partitions for root and home sans LVM.

Setup

  • LMDE is the sole OS on a single disk (example: sda)
  • UEFI boot using GRUB as bootloader
  • GPT partition table with 4 partitions:
    • Partition 1: /dev/sda1
      • Mount: /boot/efi; Size: 256MB; Format: vfat; Use as: EFI system partition
    • Partition 2: /dev/sda2
      • Mount: /boot; Size: 1GB; Format: ext4; Use as: bootloader
    • Partition 3: /dev/sda3
      • Mount: (root); Size: 32GB; Format: luks; Use as: encrypted partition
        • Device: /dev/mapper/root
          • Mount: /; Format: ext4; Use as: root device
    • Partition 4: /dev/sda4
      • Mount: (home); Size: ->END; Format: luks; Use as: encrypted partition
        • Device: /dev/mapper/home
          • Mount: /home; Format: ext4; Use as: home device
  • In lieu of creating a separate swap partition or using a swapfile, post-install I setup zram swap.

This is how I do it ...

1. Boot and switch to root

Connect LMDE install media to the computer and boot to desktop. Open a terminal and switch to root user:

mint@mint:~$ sudo -i
root@mint:~#

2. Verify boot mode

NOTE: Partition layout for a BIOS boot would be different than what is outlined below. Adjust accordingly.

Verify the system is using UEFI to boot:

root@mint:~# dmesg | grep -i efivars
[    0.301784] Registered efivars operations

3. Define DISK variables

Identify the disk where LMDE will be installed by running lsblk.

Set disk variables for either a SATA or NVME disk:

SATA (example: sda)

root@mint:~# export DISK="/dev/sda"
root@mint:~# export EFI_PART="1"
root@mint:~# export BOOT_PART="2"
root@mint:~# export ROOT_PART="3"
root@mint:~# export HOME_PART="4"
root@mint:~# export EFI_DISK="${DISK}${EFI_PART}"
root@mint:~# export BOOT_DISK="${DISK}${BOOT_PART}"
root@mint:~# export ROOT_DISK="${DISK}${ROOT_PART}"
root@mint:~# export HOME_DISK="${DISK}${HOME_PART}"

NVME (example: nvme0n1)

root@mint:~# export DISK="/dev/nvme0n1"
root@mint:~# export EFI_PART="1"
root@mint:~# export BOOT_PART="2"
root@mint:~# export ROOT_PART="3"
root@mint:~# export HOME_PART="4"
root@mint:~# export EFI_DISK="${DISK}p${EFI_PART}"
root@mint:~# export BOOT_DISK="${DISK}p${BOOT_PART}"
root@mint:~# export ROOT_DISK="${DISK}p${ROOT_PART}"
root@mint:~# export HOME_DISK="${DISK}p${HOME_PART}"

4. Wipe DISK

Wipe old partition layout:

root@mint:~# wipefs -af $DISK
root@mint:~# sgdisk --zap-all --clear $DISK
root@mint:~# partprobe $DISK

NOTE: If LVM was previously used on the drive, this might fail with an error such as Device or resource busy. This is because the volume group might have gotten set up on boot. In such cases, bring it down with:

root@mint:~# vgchange -an

After that, wipefs -af should work.

5. Partition DISK

List partition type codes:

root@mint:~# sgdisk --list-types

Create the EFI system partition:

root@mint:~# sgdisk -n "${EFI_PART}:1m:+256m" -t "${EFI_PART}:ef00" -c 0:esp $DISK

Create the boot partition:

root@mint:~# sgdisk -n "${BOOT_PART}:0:+1g" -t "${BOOT_PART}:8300" -c 0:boot $DISK

Create the root partition:

root@mint:~# sgdisk -n "${ROOT_PART}:0:+32g" -t "${ROOT_PART}:8309" -c 0:root $DISK

Create the home partition (remaining disk space):

root@mint:~# sgdisk -n "${HOME_PART}:0:-10m" -t "${HOME_PART}:8309" -c 0:home $DISK

Show partitions:

root@mint:~# partprobe $DISK && sgdisk -p $DISK

See: Managing partitions with sgdisk

6. Encrypt root partition

NOTE: The volume is opened and mapped to /dev/mapper/root, as suggested by the Discoverable Partitions Specification.

root@mint:~# cryptsetup luksFormat --type luks2 --verify-passphrase --verbose $ROOT_DISK
root@mint:~# cryptsetup open $ROOT_DISK root

Set variable for the root device:

root@mint:~# export ROOT_DEV="/dev/mapper/root"

7. Encrypt home partition

NOTE: At boot, the system prompts for the passphrase to unlock root and systemd-ask-password caches the passphrase, and will use it to try and unlock home, only prompting for a passphrase if it fails.

In short, use the same passphrase for both root and home. It saves having to enter a passphrase twice or create a keyfile.

See: Why is my LUKS partition mounted without asking for a passphrase?

root@mint:~# cryptsetup luksFormat --type luks2 --verify-passphrase --verbose $HOME_DISK
root@mint:~# cryptsetup open $HOME_DISK home

Set variable for the home device:

root@mint:~# export HOME_DEV="/dev/mapper/home"

8. Create filesystems

The labels are optional, but helpful. They allow for easy mounting without a UUID:

root@mint:~# mkfs.vfat -n ESP $EFI_DISK
root@mint:~# mkfs.ext4 -L bootfs $BOOT_DISK
root@mint:~# mkfs.ext4 -L rootfs $ROOT_DEV
root@mint:~# mkfs.ext4 -L homefs $HOME_DEV

9. Expert Mode

Open a new tab in the terminal. Launch the LMDE installer in expert-mode:

mint@mint:~$ sudo live-installer-expert-mode

Proceed as normal up to Installation Type. Select Manual Partitioning.

Manual partitioning

In the Partitioning window, click Expert mode.

Before continuing, we mount our target filesystems on /target.

Expert mode

10. Mount filesystems

Switch back to the root terminal. Mount the previously created filesystems:

root@mint:~# mount --mkdir LABEL=rootfs /target
root@mint:~# mount --mkdir LABEL=homefs /target/home
root@mint:~# mount --mkdir LABEL=bootfs /target/boot
root@mint:~# mount --mkdir LABEL=ESP /target/boot/efi

Confirm the filesystems are properly mounted by running df.

11. Install

Switch back to the installer window and click Next. Proceed to Summary and confirm:

  • Home encryption: disabled (entire partition is LUKS-encrypted)
  • Install bootloader on /dev/<storage_device> (example: /dev/sda with no partition number)
  • Use already mounted /target

When satisfied, click Install.

LMDE install proceeds as per usual up to Installation paused.

Installation paused

Do the following before continuing the install:

Installation paused 2

12. Configure fstab

Set filesystems that will be mounted at boot:

root@mint:~# echo "UUID=$(blkid -s UUID -o value $ROOT_DEV)  /  ext4  defaults  0 1" >> /target/etc/fstab
root@mint:~# echo "UUID=$(blkid -s UUID -o value $HOME_DEV)  /home  ext4  defaults  0 2" >> /target/etc/fstab
root@mint:~# echo "UUID=$(blkid -s UUID -o value $BOOT_DISK)  /boot  ext4  defaults  0 1" >> /target/etc/fstab
root@mint:~# echo "UUID=$(blkid -s UUID -o value $EFI_DISK)  /boot/efi  vfat  defaults  0 1" >> /target/etc/fstab

13. Configure crypttab

Set root and home to be opened at boot:

root@mint:~# echo "root UUID=$(blkid -s UUID -o value $ROOT_DISK) none luks,discard" >> /target/etc/crypttab
root@mint:~# echo "home UUID=$(blkid -s UUID -o value $HOME_DISK) none luks,discard" >> /target/etc/crypttab

14. Finish install

Switch back to installer window and click Next to complete installation.

When prompted Do you want to restart your computer to use the new system? choose No.

Installation finished

Unmount partitions (/target/boot/efi and /target/boot are auto-unmounted by the installer):

root@mint:~# umount /target/home
root@mint:~# umount /target

Remove the encrypted device mapping:

root@mint:~# cryptsetup close home
root@mint:~# cryptsetup close root

Done! Reboot and enjoy.

You can like, share, or comment on this post on Mastodon 💬

Thanks for reading! Read other posts?

» Next: MintyFresh: My configuration script for Linux Mint Debian Edition (LMDE 6)

« Previous: Minimal Debian Bookworm