16 February 2016

Installation of encrypted dual boot system with Linux Mint KDE and LMDE

Update: Part 1, manual installation with encrypted LVM on a part of the hard disk was tested with Linux Mint 18 and Kubuntu 16.04. - December 2016

---

This is an instruction for the installation, encryption, and the bootloader setup of two Linux systems, exemplary Linux Mint 17 KDE as the main system and LMDE (Linux Mint Debian Edition) as a secondary system. The setup is BIOS / Legacy, without (U)EFI. The BIOS of the device should be adjusted to this.

It works as well with EFI, but it is a different approach. Here I stick to BIOS / Legacy setup.

Tested with Linux Mint 17.3 KDE and LMDE 2 Cinnamon. The OS will be encrypted with LUKS (Linux Unified Key Setup). As the computer starts, a boot menu will be shown and the selected OS will be decrypted and booted after a password entry.

For both systems a separate boot partition and a partition for the encrypted system is required.

Should there be data on the hard disk, it will be erased during formatting. I used an empty hard drive for the installation.

It makes sense to create an extended partition. I installed the two OS with four primary partitions to simplify matters. The partition labels must be adjusted to the own system.

1. Install encrypted Linux Mint KDE

Preparations

Create with the downloaded ISO file a bootable USB/DVD device. Start the Linux Mint KDE live system.

If you use your OS in another language, adjust the keyboard layout, because the password entry will not be shown.

In the menu under Applications → Settings → System Settings → Input Devices → Keyboard layouts → Configure Layouts add your language. You can switch the layout in the panel.

Create Partitions

First the partitions will be created. The program is in the Menu → System → GParted. In KDE it must be installed with the terminal prompt

sudo apt-get install gparted

First create the boot partition of the main system, about 200-300MB. But if you don't want to deinstall old kernel so often after an update, you should increase the partition size.

With a right click on the partition select 'New'. The file system is ext4, and the align is to MiB (standard). The label is '/boot'.

Create a second partition for the whole system in the desired size with ext4. By clicking on the tick the operations will be applied. There should be enough unallocated space for the second system left on the hard drive.

Now sda1 exists as the boot partition, and sda2 as a partition for an encrypted LVM, in which the rest of the system will be installed.

Terminate GParted.

Encrypt partition and set up LVM

To get root access, type

sudo -s

in the terminal. Then encrypt the partition sda2:

cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sda2

Confirm and specify a password. The password will not be shown.

Decrypt the partition:

cryptsetup luksOpen /dev/sda2 crypto-minty
pvcreate --dataalignment 1024k /dev/mapper/crypto-minty

will create the Physical Volume with an alignment for a SSD.

vgcreate mintygroup /dev/mapper/crypto-minty

will create a Volume Group with the name 'mintygroup'.

Then the Logical Volumes will be created. These are the partitions for swap, root and home in MiB within the Volume Group mintygroup.

 

lvcreate -L 4096M -n swap mintygroup # the size is according or a bit more than RAM 
lvcreate -L 15360M -n root mintygroup # about 15-20GB
lvcreate -l 100%FREE -n home mintygroup


Create the file systems in the Logical Volumes.

mkswap /dev/mapper/mintygroup-swap -L swap
mkfs.ext4 /dev/mapper/mintygroup-root -L root
mkfs.ext4 /dev/mapper/mintygroup-home -L home

Install Linux Mint KDE in LVM

The OS will be installed in the LVM. Let the terminal open. Start the installer up to the point 'Installation type'. Select 'Manual' and continue.

The Logical Volumes will be listed. One after the other select the partitions and click on 'Change'. In this case, '/dev/mapper/mintygroup-root'; '/dev/mapper/mintygroup-home'; and '/dev/sda1', the boot partition.

Format everything with ext4, and give a Mount point. For the boot partition it is /boot, for /dev/mapper/minty-root only the /; and for /dev/mapper/mintygroup-home /home.

The device for the boot loader installation is /dev/sda.

Then install the OS. At the point 'Who are you?' do not encrypt the home folder;). After the installation IMPORTANT (!) do not restart now, but continue testing.

Change into the new system to make some adjustments

Mount the newly installed system and change with 'chroot' into it.

mount /dev/mapper/mintygroup-root /mnt
mount /dev/mapper/mintygroup-home /mnt/home
mount /dev/sda1 /mnt/boot
mount -o rbind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
cp /etc/resolv.conf /mnt/etc/resolv.conf
chroot /mnt /bin/bash 

With it the system will be entered with root privileges. The UUID of the encrypted system must be registered in the file /etc/crypttab.

blkid /dev/sda2

shows the UUID.

lsblk -o NAME,UUID,FSTYPE,SIZE,LABEL,MOUNTPOINT 

lists the whole system.

Register the name of the LVM2_member and the UUID of crypto_LUKS in the file /etc/crypttab.

echo "<name_of_LVM2_member> UUID=<VOLUME_ID> none luks" >> /etc/crypttab

Then type

update-initramfs -u -k all

and leave chroot:

exit

Now the computer can be shut down and the new system started.

2. Install encrypted LMDE Cinnamon

Preparations

Start the second live system with USB or DVD. The keyboard layout can be adjusted under Menu → Preferences → Keyboard → Keyboard layouts. Add your language with the plus button. The language can be switched in the panel.

Create partitions

Under Menu → Administration → GParted start the program and create two partitions as above, one for /boot, and one for the system.

Download script to create encryption and to adjust the system

The LMDE installer does not support encryption. LMDE can be installed with the help of a script.

Type in the terminal

wget j.mp/lmdescrypt

Make the script executable with

chmod +x lmdescrypt

The file is in the home folder and can be opened in a text editor with right click → Open → Display. The partition labels must be adjusted.

boot_part=/dev/sda3
crypt_part=/dev/sda4

The rest can be edited according to your needs, e.g.:

crypt_label=debbiegroup
data_label=home
root_size=15360M
swap_size=4096M
boot_format=ext4

IMPORTANT (!) The device for the boot loader installation is /dev/sda3, the boot partition of your second system. If another OS is installed with the installer, it must be specified in the drop-down list under the point 'Prepare partitions' 'device for the boot loader installation'. Otherwise it will overwrite the bootloader of the first system.

grub_device=/dev/sda3

then adjust

username and hostname, and save the file.

Type in the terminal

sudo ./lmdescrypt

and run the script. At the beginning you will be asked to specify a password.

After the copy of the files specify the UNIX password. Navigate in the terminal with the arrow and enter buttons.

The script is comfortable, there is no need to mount the system afterwards. The script ends with Ready for reboot!

The language packages must be installed later in the system settings.

3. Configure bootloader

Reboot. At first only Linux MInt KDE starts, because the LMDE bootloader was not written in the MBR, but to /dev/sda3. The LMDE bootloader must be entered in the boot menu of Linux Mint KDE. The bootloader of Linux Mint will chainload LMDE.

Overview: Grub must be adjusted. The config file of GRUB is /boot/grub/grub.cfg. This file should not be changed. Own inputs are made in the files  /etc/default/grub and /etc/grub.d. Later the system renews after a

sudo update-grub

the file /boot/grub/grub.cfg.

The menuentry of LMDE should be added into the Linux MInt KDE file /etc/grub.d/40_custom.

You find the menuentry of LMDE in the LMDE system in the file /boot/grub/grub.cfg.

Copy the menuentry to Linux Mint KDE file /etc/grub.d/40_custom. ---

 

First, mount the LMDE boot partition in the file manager and open the file /boot/grub/grub.cfg.

Scroll until

### BEGIN /etc/grub.d/10_linux ###

then you see the menuentry, something like e.g.:

menuentry 'LinuxMint GNU/Linux' --class linuxmint --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-0f7149da-2949-4e62-9653-3f0e3e301e1e' {
    load_video
    insmod gzio
    if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
    insmod part_msdos
    insmod ext2
    set root='hd0,msdos3'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos3 --hint-efi=hd0,msdos3 --hint-baremetal=ahci0,msdos3  b305bd35-9614-4ef4-9fba-b3c70d38aec0
    else
      search --no-floppy --fs-uuid --set=root b305bd35-9614-4ef4-9fba-b3c70d38aec0
    fi
    echo    'Loading Linux 3.16.0-4-amd64 ...'
    linux    /vmlinuz-3.16.0-4-amd64 root=/dev/mapper/debbiegroup-root ro  quiet splash
    echo    'Loading initial ramdisk ...'
    initrd    /initrd.img-3.16.0-4-amd64
}

Copy the menuentry to the clipboard. Open in Linux Mint KDE /etc/grub.d/40_custom with root privileges and copy the menuentry into the file. You can add the menuentrys for the recovery mode and memtest as well. The name

'LinuxMint GNU/Linux'

can be edited.

Make sure that the file ends with one blank line (!) and save the file.

Edit the file /etc/default/grub with root privileges, and commend out the line

#GRUB_HIDDEN_TIMEOUT=0

as above.

With a

sudo update-grub

the grub.cfg of Linux Mint KDE will be updated.

After reboot the boot menu should appear and list the menuentrys.

Later on, whenever you update the kernel in the second system, then change the 40_custom file in the first system, and alter the kernel version manually. After that, run another sudo update-grub.

Make the boot menu look beautiful

The boot menu can be beautified with a background image. Copy a JPG in the same resolution as the screen (e.g. 1366px x 768px) in the main system into the folder /boot/grub.

Edit with root privileges the file /etc/default/grub:

export GRUB_BACKGROUND="/boot/grub/filename.jpg"
GRUB_GFXMODE=1366x768 # exact screen resolution
GRUB_GFXPAYLOAD_LINUX=keep

In  /etc/grub.d/40_custom the color of the font can be added below the menuentrys, e.g.:

set color_normal="light-blue/black"
set menu_color_normal="light-cyan/black"

black means: background is transparent.

set color_normal: font color of title and info.

set menu_color_normal: font color of menu

set menu_color_highlight: font color of selected line

set color_highlight: background of selected line

Color selection: magenta, cyan, blue, green, yellow, red, dark-gray, white, light-gray, black, light-red, brown, light-green, light-blue, light-cyan, and light-magenta.

Again add one blank line and save.

After a

sudo update-grub

the background image will be shown on reboot.

Security settings

It makes sense to add one or two passwords to the system. This is done with

sudo cryptsetup luksAddKey /dev/sda2

First enter the old, the the new password.

It is also useful to backup the header on an (encrypted) external hard drive:

sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /Path/to/Backup-file/filename

That was it, an encrypted dual boot system is ready to work with.


References:

System verschluesseln at ubuntuusers (German)

LMDE 201303 or 201403 with luks encrypted lvm2 partitions at forums.linuxmint.com

LMDE installation script at GitHub

Grub2 Aussehen bei ubuntuusers (German)

Add new comment