After I encountered a bunch of problems when setting up full disk encryption on Linux Mint 16, I thought I’d share the final solution I chose, and how to avoid some of the bugs in the Linux Mint Installer.
This howto is based on the Cinnamon variant of Linux Mint 16 x64, but it is probably applicable to other variants and architectures of Linux Mint 16.
Now, there are a few ways to partition your hard drive when using Linux. I wanted the following setup:
- /boot, unencrypted, 256 MB (otherwise the system won’t boot)
- /, encrypted, ~50 GB
- swap-space, encrypted, ~10 GB
- /home, encrypted, the remaining ~440 GB
This setup has the advantage that you can preserve the /home-partition when updating the system, saving you the trouble of making a backup and restoring it afterwards.
Now, the first option you have when installing Linux Mint 16 is to just select “encrypt this installation” during the install process. Sadly, this creates a setup without a dedicated /home partition, so it is out of the question.
Another Howto I found proposed to use the partition manager of the installer (select “something else” when asked how you want to install Linux Mint 16), and create the three encrypted partitions with the “Use as: Physical volume for encryption” option. This works, but it will make you enter your decryption passphrase three times in a row when booting up your PC, which is pretty darn annoying, so I went looking for a better option.
The way I finally solved my problem was like this: When installing Linux Mint 16, go to the partition manager and create the following setup:
- /boot, unencrypted ext2, 256 MB
- An encrypted partition with the size you want for the root of the file system (“/”, choose “Physical volume for encryption”, and a new virtual hard drive will appear, where you will have to click on the only partition on it and select “Use as: ext4 journaling file system”, setting the mount point to “/”)
- A partition with the size you want your swap space to have, but choosing “Do not use this partition” in the “Use as”-Dropdown menu (more on this later)
- An unencrypted partition with the size you want for your /home, choosing “ext4 journaling file system” with a mount point of “/home”
Now, there are a few things strange about this setup:
- We do not activate the swap space because Linux won’t let you install a system with an encrypted partition and unencrypted swap space, and we will encrypt the swap later.
- We do not encrypt the /home partition because that will happen later as well
Now, after you’ve set up your partition table to your liking (substitute ext4 for other file system types if you want to, but I’ll stick to ext4 for now), click “Install now”. The setup will warn you about your system not having any swap space, but you can ignore that (as long as you have enough RAM to install and boot linux without swap, otherwise you’re out of luck with this howto).
Proceed with the installation until it asks you to create your user. Enter all your user information and do not check the “encrypt my files” option. Why? Because the installer repeatedly failed when I did it, and the one time it worked it produced an unencrypted home directory regardless of my settings. Continue the install and reboot into your fresh linux when the installation is finished. Make sure you are asked for the passphrase you set up for the root partition when booting!
Now, after booting into your fresh linux, make sure “ecryptfs-utils” is installed (sudo apt-get install ecryptfs-utils), and install “gparted” (sudo apt-get install gparted). Then, go to the “Users and Groups” setting and create a new administrator user. Set a passwort for it, then log out and back into the new user. Start “gparted” and select the unused partition that was intended as swap space (make sure it is the correct one, as the encrypted “/” partition looks very similar. Compare sizes to be sure). Rightclick it, and select “format to => swap”. Apply your changes, then right-click the newly created swap space and select “swapon”.
Next, open a terminal and enter sudo ecryptfs-migrate-home -u USER, where USER is the username of your primary user (not the one you are currently logged in as). Follow the on-screen instructions. After the migration finished, run sudo ecryptfs-setup-swap and follow the instructions. Once you are finished with this, log out (but do not reboot) and back into your primary account. Open a terminal and enter ecryptfs-unwrap-passphrase and note the passphrase down somewhere secure. This is your emergency passphrase for when you need to decrypt your home directory manually and / or have forgotten your user password. Afterwards, delete the user you created and reboot for good measure.
You should now have the following setup:
- /boot, unencrypted
- /, encrypted
- /home, unencrypted, but containing an encrypted /home/USER.
- swap-space, encrypted
You can verify this by running lsblk and checking if the relevant partitions show up as encrypted or not, and running df and looking for /home/USER/.Private in the leftmost column. If it is there, you should be safe.
This setup leaves you with encryption for all your relevant data, with minimal additional annoyance compared to an unencrypted linux (you only need to enter one passphrase on boot, your home directory will be decrypted on login). Now, a few caveats:
- In this setup, only the home directory of the first user is encrypted. If you ever create additional users, you will have to repeat the steps ecryptfs-migrate-home and ecryptfs-unwrap-passphrase for the new user, or it will not be encrypted. (Technically, this means that this is no full disk encryption, but as long as you remember to do this for every new user or just don’t create additional users, you should be just as safe).
- Your home directory can be decrypted with your users login passphrase, so choose a strong user password.
- Encrypting the swap space in this fashion will break Linux’ hibernate function, so don’t use that afterwards (standby is fine, although that will leave everything decrypted in case your laptop is seized while it is in standby, so you may want to avoid that).
- I have not tried reinstalling linux with an encrypted home directory yet, but according to this askUbuntu-Question, it should not be a problem.
I hope I could help you living a more encrypted life. Please let me know if you find any mistakes in this guide or if something is not clear from what I’ve written.
Update: There is a persistent bug in Ubuntu / Linux Mint, which leads to the SWAP partition not being mounted on reboot. A workaround is described here. Thanks to Igo in the comments for testing the workaround and reporting back.