Install LinuxMint totally LUKS encrypted, with LVMs of root, swap (and optionally data)

  3 years ago

This tutorial shows how to install Linux Mint Debian Edition (201403), or Linux Mint Debian Edition version 2 (201503 or 201701), or regular Linux Mint 17.1, 17.2, 17.3 or 18, 18.1, 18.2, 18.3, 19, 19.1, either i686 or amd64, whether with MSDOS or GPT partitions, UEFI or not. The result is:

A fully LUKS encrypted system, with LVM2 volumes of root, swap and (optionally: data) with optional boot partition (with optional boot-from-iso-file too).


1. Boot the Live environment

2. Open the Terminal (Menu, Terminal or Ctrl-Alt-T) and enter:

sudo -i

3. If needed, adapt the SETTINGS section:

nano lmdescrypt

4. Make sure all partitions in the SETTINGS section exist

For example, (re)partitioning the drive like this
(erasing all, taking up all space):

swapoff -a  # unmount all automounted swap partitions
sgdisk -Zon1::+2M -t1:ef02 -c1:BIOS -n 2::-0 -t2:8e00 -c2:X -g /dev/sda


# For a UEFI setup instead, this example works:
sgdisk -Zon1::+260M -t1:ef00 -c1:EFI -n2::-0 -t2:8e00 -c2:X -g /dev/sda

This is giving almost the whole drive to the encrypted lvm2

5. Start the script:

source lmdescrypt

6. Answer the questions as they come up:

  • set password for encryption

Then all the preparations have happened:

  • set password for user
  • set timezone
  • configure keyboard

And that's it!

Installing into a pre-existing environment

  • Using a pre-existing boot-partition, LUKS partition and LVM Logical Volumes is entirely supported.
  • Not having a separate boot partition is also supported: total encryption!
  • Multiple booting with other OSes also works out of the box.
  • MBR, GPT partition tables and UEFI work according to configuration.
Trapper333 4 years ago

You've been busy. :) I see that lmdescrypt v0.988 to include 19 & lmde3 is now available. Thank you very much.

Trapper333 4 years ago

I am having difficulty finding lmdescrypt v0.987. The links provided above link to 0.986. Also, 0.986 will install LMDE 3 but not properly. Most things seem to work properly but other things just don't work right. A biggie being gnome-terminal.

Pepas 4 years ago

The new lmdescrypt v0.987 supports LM19 even better!

Trapper333 4 years ago

Actually I was able to install LM19 beta with lmdescrypt v0.986 today.

Trapper333 4 years ago

Itching for lmdescrypt support for the upcoming LM 19. :)

Pepas 4 years ago

Sorry zeina, I don't get notifications of comments here, I just saw yours.
I have never had a problem like you describe with the terminal not opening. If it still occurs in more recent versions I should look into it more.

1. To get an encrypted /home partition, set the data-partition accordingly: data_label=home, set data_size to the desired size, set data_fs to the desired filesystem.
2. To have no swap partition: set swap_size= (empty) and after the install is finished, set up a swap file on the newly installed system.
3. To have /boot encrypted too: set boot_part= (empty). There is little sense to have a separate encrypted boot partition (with a separate password). You could leave some space on the encrypted partition and after the install make a separate boot logical partition, but again, what do you gain by that?

zeina 5 years ago

Hi, when I install LM 18.1 via your routine (in a VM) I cant open a terminal. When I click on the terminal icon, my mouse pointer turns into the loading clock icon for a couple of secs and then just nothing happens. When I install LM without encryption the terminal works.

Furthermore I have 3 questions:

1. I want to have a seperate encrypted home partition. How do I have to modify your script?
2. Is it possible to install without a swap partition and use a swap file instead?
3. How do I have to modify your script to encrypt /boot too?

Pepas 5 years ago

Added the option to include the iso as a file on the boot partition that can be booted from for rescue/reinstall purposes.

Pepas 6 years ago

Refactored to use the script in an interactive session only, so it needs to be sourced, not run. The variables and functions are then available in the same session, which can be helpful.

Pepas 6 years ago

With Linux Mint 18 support, I added total encryption (boot doesn't have to be separate).

Trapper333 6 years ago

Thanks for posting this Pepas!

remoulder 6 years ago

Self promotional - all that is needed is a link to the original page