Installation of encrypted dual boot system with Linux Mint KDE and LMDE
Update: Part 1, manual installation with encrypted LVM on a part of the hard disk was tested with Linux Mint 18 and Kubuntu 16.04. - December 2016
---
This is an instruction for the installation, encryption, and the bootloader setup of two Linux systems, exemplary Linux Mint 17 KDE as the main system and LMDE (Linux Mint Debian Edition) as a secondary system. The setup is BIOS / Legacy, without (U)EFI. The BIOS of the device should be adjusted to this.
It works as well with EFI, but it is a different approach. Here I stick to BIOS / Legacy setup.
Tested with Linux Mint 17.3 KDE and LMDE 2 Cinnamon. The OS will be encrypted with LUKS (Linux Unified Key Setup). As the computer starts, a boot menu will be shown and the selected OS will be decrypted and booted after a password entry.
For both systems a separate boot partition and a partition for the encrypted system is required.
Should there be data on the hard disk, it will be erased during formatting. I used an empty hard drive for the installation.
It makes sense to create an extended partition. I installed the two OS with four primary partitions to simplify matters. The partition labels must be adjusted to the own system.
1. Install encrypted Linux Mint KDE
Preparations
Create with the downloaded ISO file a bootable USB/DVD device. Start the Linux Mint KDE live system.
If you use your OS in another language, adjust the keyboard layout, because the password entry will not be shown.
In the menu under Applications → Settings → System Settings → Input Devices → Keyboard layouts → Configure Layouts add your language. You can switch the layout in the panel.
Create Partitions
First the partitions will be created. The program is in the Menu → System → GParted. In KDE it must be installed with the terminal prompt
sudo apt-get install gparted
First create the boot partition of the main system, about 200-300MB. But if you don't want to deinstall old kernel so often after an update, you should increase the partition size.
With a right click on the partition select 'New'. The file system is ext4, and the align is to MiB (standard). The label is '/boot'.
Create a second partition for the whole system in the desired size with ext4. By clicking on the tick the operations will be applied. There should be enough unallocated space for the second system left on the hard drive.
Now sda1 exists as the boot partition, and sda2 as a partition for an encrypted LVM, in which the rest of the system will be installed.
Terminate GParted.
Encrypt partition and set up LVM
To get root access, type
sudo -s
in the terminal. Then encrypt the partition sda2:
cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/sda2
Confirm and specify a password. The password will not be shown.
Decrypt the partition:
cryptsetup luksOpen /dev/sda2 crypto-minty
pvcreate --dataalignment 1024k /dev/mapper/crypto-minty
will create the Physical Volume with an alignment for a SSD.
vgcreate mintygroup /dev/mapper/crypto-minty
will create a Volume Group with the name 'mintygroup'.
Then the Logical Volumes will be created. These are the partitions for swap, root and home in MiB within the Volume Group mintygroup.
lvcreate -L 4096M -n swap mintygroup # the size is according or a bit more than RAM
lvcreate -L 15360M -n root mintygroup # about 15-20GB
lvcreate -l 100%FREE -n home mintygrou
p
Create the file systems in the Logical Volumes.
mkswap /dev/mapper/mintygroup-swap -L swap
mkfs.ext4 /dev/mapper/mintygroup-root -L root
mkfs.ext4 /dev/mapper/mintygroup-home -L home
Install Linux Mint KDE in LVM
The OS will be installed in the LVM. Let the terminal open. Start the installer up to the point 'Installation type'. Select 'Manual' and continue.
The Logical Volumes will be listed. One after the other select the partitions and click on 'Change'. In this case, '/dev/mapper/mintygroup-root'; '/dev/mapper/mintygroup-home'; and '/dev/sda1', the boot partition.
Format everything with ext4, and give a Mount point. For the boot partition it is /boot, for /dev/mapper/minty-root only the /; and for /dev/mapper/mintygroup-home /home.
The device for the boot loader installation is /dev/sda.
Then install the OS. At the point 'Who are you?' do not encrypt the home folder;). After the installation IMPORTANT (!) do not restart now, but continue testing.
Change into the new system to make some adjustments
Mount the newly installed system and change with 'chroot' into it.
mount /dev/mapper/mintygroup-root /mnt
mount /dev/mapper/mintygroup-home /mnt/home
mount /dev/sda1 /mnt/boot
mount -o rbind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
cp /etc/resolv.conf /mnt/etc/resolv.conf
chroot /mnt /bin/bash
With it the system will be entered with root privileges. The UUID of the encrypted system must be registered in the file /etc/crypttab.
blkid /dev/sda2
shows the UUID.
lsblk -o NAME,UUID,FSTYPE,SIZE,LABEL,MOUNTPOINT
lists the whole system.
Register the name of the LVM2_member and the UUID of crypto_LUKS in the file /etc/crypttab.
echo "<name_of_LVM2_member> UUID=<VOLUME_ID> none luks" >> /etc/crypttab
Then type
update-initramfs -u -k all
and leave chroot:
exit
Now the computer can be shut down and the new system started.
2. Install encrypted LMDE Cinnamon
Preparations
Start the second live system with USB or DVD. The keyboard layout can be adjusted under Menu → Preferences → Keyboard → Keyboard layouts. Add your language with the plus button. The language can be switched in the panel.
Create partitions
Under Menu → Administration → GParted start the program and create two partitions as above, one for /boot, and one for the system.
Download script to create encryption and to adjust the system
The LMDE installer does not support encryption. LMDE can be installed with the help of a script.
Type in the terminal
wget j.mp/lmdescrypt
Make the script executable with
chmod +x lmdescrypt
The file is in the home folder and can be opened in a text editor with right click → Open → Display. The partition labels must be adjusted.
boot_part=/dev/sda3
crypt_part=/dev/sda4
The rest can be edited according to your needs, e.g.:
crypt_label=debbiegroup
data_label=home
root_size=15360M
swap_size=4096M
boot_format=ext4
IMPORTANT (!) The device for the boot loader installation is /dev/sda3, the boot partition of your second system. If another OS is installed with the installer, it must be specified in the drop-down list under the point 'Prepare partitions' 'device for the boot loader installation'. Otherwise it will overwrite the bootloader of the first system.
grub_device=/dev/sda3
then adjust
username and hostname, and save the file.
Type in the terminal
sudo ./lmdescrypt
and run the script. At the beginning you will be asked to specify a password.
After the copy of the files specify the UNIX password. Navigate in the terminal with the arrow and enter buttons.
The script is comfortable, there is no need to mount the system afterwards. The script ends with Ready for reboot!
The language packages must be installed later in the system settings.
3. Configure bootloader
Reboot. At first only Linux MInt KDE starts, because the LMDE bootloader was not written in the MBR, but to /dev/sda3. The LMDE bootloader must be entered in the boot menu of Linux Mint KDE. The bootloader of Linux Mint will chainload LMDE.
Overview: Grub must be adjusted. The config file of GRUB is /boot/grub/grub.cfg. This file should not be changed. Own inputs are made in the files /etc/default/grub and /etc/grub.d. Later the system renews after a
sudo update-grub
the file /boot/grub/grub.cfg.
The menuentry of LMDE should be added into the Linux MInt KDE file /etc/grub.d/40_custom.
You find the menuentry of LMDE in the LMDE system in the file /boot/grub/grub.cfg.
Copy the menuentry to Linux Mint KDE file /etc/grub.d/40_custom. ---
First, mount the LMDE boot partition in the file manager and open the file /boot/grub/grub.cfg.
Scroll until
### BEGIN /etc/grub.d/10_linux ###
then you see the menuentry, something like e.g.:
menuentry 'LinuxMint GNU/Linux' --class linuxmint --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-0f7149da-2949-4e62-9653-3f0e3e301e1e' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos3 --hint-efi=hd0,msdos3 --hint-baremetal=ahci0,msdos3 b305bd35-9614-4ef4-9fba-b3c70d38aec0
else
search --no-floppy --fs-uuid --set=root b305bd35-9614-4ef4-9fba-b3c70d38aec0
fi
echo 'Loading Linux 3.16.0-4-amd64 ...'
linux /vmlinuz-3.16.0-4-amd64 root=/dev/mapper/debbiegroup-root ro quiet splash
echo 'Loading initial ramdisk ...'
initrd /initrd.img-3.16.0-4-amd64
}
Copy the menuentry to the clipboard. Open in Linux Mint KDE /etc/grub.d/40_custom with root privileges and copy the menuentry into the file. You can add the menuentrys for the recovery mode and memtest as well. The name
'LinuxMint GNU/Linux'
can be edited.
Make sure that the file ends with one blank line (!) and save the file.
Edit the file /etc/default/grub with root privileges, and commend out the line
#GRUB_HIDDEN_TIMEOUT=0
as above.
With a
sudo update-grub
the grub.cfg of Linux Mint KDE will be updated.
After reboot the boot menu should appear and list the menuentrys.
Later on, whenever you update the kernel in the second system, then change the 40_custom file in the first system, and alter the kernel version manually. After that, run another sudo update-grub
.
Make the boot menu look beautiful
The boot menu can be beautified with a background image. Copy a JPG in the same resolution as the screen (e.g. 1366px x 768px) in the main system into the folder /boot/grub.
Edit with root privileges the file /etc/default/grub:
export GRUB_BACKGROUND="/boot/grub/filename.jpg"
GRUB_GFXMODE=1366x768 # exact screen resolution
GRUB_GFXPAYLOAD_LINUX=keep
In /etc/grub.d/40_custom the color of the font can be added below the menuentrys, e.g.:
set color_normal="light-blue/black"
set menu_color_normal="light-cyan/black"
black means: background is transparent.
set color_normal: font color of title and info.
set menu_color_normal: font color of menu
set menu_color_highlight: font color of selected line
set color_highlight: background of selected line
Color selection: magenta, cyan, blue, green, yellow, red, dark-gray, white, light-gray, black, light-red, brown, light-green, light-blue, light-cyan, and light-magenta.
Again add one blank line and save.
After a
sudo update-grub
the background image will be shown on reboot.
Security settings
It makes sense to add one or two passwords to the system. This is done with
sudo cryptsetup luksAddKey /dev/sda2
First enter the old, the the new password.
It is also useful to backup the header on an (encrypted) external hard drive:
sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /Path/to/Backup-file/filename
That was it, an encrypted dual boot system is ready to work with.
References:
System verschluesseln at ubuntuusers (German)
LMDE 201303 or 201403 with luks encrypted lvm2 partitions at forums.linuxmint.com
Add new comment