Installing Linux Mint/Ubuntu desktop edition with full-disk encryption and LVM

(This guide applies to any Debian/Ubuntu based distribution)

For some reason (complexity perhaps) it is not possible to configure full-disk encryption and LVM from the graphical installer in the desktop edition. It is possible to select full-disk encryption but this only creates one filesystem (root).

I want to use LVM to allow me to have more than one filesystem without having to enter more than one password during boot-up. It is not impossible to install Ubuntu desktop (or Linux Mint as in this guide) with encryption and LVM but it does require a little more work.

Before starting the installation, we need to prepare the harddisk. Start up GParted (as this is the easiest to work with, if you feel adventurous it can be done in parted or fdisk as well).

Start by creating a new partition table if needed (if you want to start over or the disk is empty)

Of course this will destory any data already on the disk, you may want to resize any existing partitions (Windows for instance) instead.

Next, create three new partitions

First, the /boot partition

Second, create an extended partition

Lastly, the partition which will hold the encrypted data

Now, apply the configuration

Now exit GParted and then start a terminal and sudo su –

First, create the encrypted partition (you need to double check the device names). Needless to say, you need to pick a good password.

# cryptsetup luksFormat /dev/sda5

Open (activate) the encrypted container/partition

# cryptsetup open --type luks /dev/sda5 sda5_crypt

Create the volume group on the container

# vgcreate systemvg /dev/mapper/sda5_crypt

Final step in the terminal is to create the logical volumes – I’ve opted for three: /, /home and swap

# lvcreate -n rootlv -L20G systemvg
# lvcreate -n swaplv -L8G systemvg
# lvcreate -n homelv -l100%FREE systemvg

Next, start up the Installer and answer the questions until you get to the screen where to decide the way to install Ubuntu/Mint. Select “Something else”

Now, select the filesystems to create, they should be configured like so:

It is also important to select the correct device for bootloader installation. It should NOT be installed to /dev/dm-0

Accept the changes

And continue to installation.

When the installation is done, do not reboot.

Go back to the terminal and setup a chroot with your new installation

# mount /dev/systemvg/rootlv /target
# mount /dev/sda1 /target/boot
# mount -o bind /proc /target/proc
# mount -o bind /dev /target/dev
# mount -o bind /sys /target/sys
# chroot /target

Last steps are to let your installation now you are using an encrypted root partition and re-generate the ramdisk used for booting

# echo "sda5_crypt /dev/sda5 none luks" >> /etc/crypttab
# update-initramfs -k all -c

The line in crypttab may also use UUID (to prevent problems if your device names start)

# blkid /dev/sda5
# echo "cryptodisk UUID=63a28f07-6f16-4b00-93a1-1c95614efafb none luks" >> /etc/crypttab

63a28f07-6f16-4b00-93a1-1c95614efafb is the UUID of the disk

Now exit the chroot (CTRL-D or type exit) and reboot.