This post outlines how to take a blank system and end up with an encrypted EFI-boot LVM-partitioned Linux system. In reality, this isn’t a tutorial and more a note to self not to forget what I did, but perhaps it will benefit you too.

This can be done side-by-side with another system e.g. Windows, but you might need to repair the Windows installation afterwards so it’s aware of the new EFI partition you’ll make below.

Get yourself into a root shell.

sudo su -

Ensure you’re booted in EFI mode.

apt-get install efibootmgr

Run gparted.

Create a gpt partition table.

  • /dev/sda1: A 128MB EFI partition. This will be /boot/efi.
  • /dev/sda2: A 512MB ext2 partition. This will be /boot.
  • /dev/sda3: Fill up the rest of the space with an unformatted partition. This will be LUKS-encrypted, and contain our LVM volumes.

(BIOS adjustments: make it msdos, not gpt, and don’t make the EFI partition.)

Encrypt the partition.

cryptsetup luksFormat /dev/sda3

Open it up.

cryptsetup open /dev/sda3 sda3

This creates /dev/mapper/sda3. You can treat this as though it were /dev/sda3. Effectively, this is now how you refer to what was /dev/sda3.

Now for the LVM fun.

Create a physical volume on this partition.

pvcreate /dev/mapper/sda3

Run pvscan to see your physical volume.

It now needs a volume group that we’ll call vg00.

vgcreate vg00 /dev/mapper/sda3

Run vgscan to see your volume group.

Add logical volumes for root (/), home (/home), and swap.

lvcreate -L 10G -n root vg00
lvcreate -L 2G -n swap vg00
lvcreate -l 100%FREE -n home vg00

If you plan on using sleep/hibernate, ensure the swap partition is at least as big as your RAM.

Run lvscan to see your logical volumes. These can be thought of as partitions. You can access them in two ways.

  1. Under /dev/vg00/ with the names you gave them (e.g. root).
  2. Under /dev/mapper/ with the volume group (vg00) prefixing the name you gave them (e.g. vg00-root).

Both of these are just symlinks to /dev/dm-*.

Run the Linux installer. Map it up as follows:

  • /dev/mapper/vg00-root as / (ext4)
  • /dev/mapper/vg00-home as /home (ext4)
  • /dev/mapper/vg00-swap as swap
  • /dev/sda1 as /boot/efi (fat32 or efi). Note that when selecting efi you might not be able to choose a mount point. This is fine.
  • /dev/sda2 as /boot (ext2)
  • Device for bootloader installation: /dev/sda2

Finish the installation.

At this point, rebooting won’t give you a working system. The initrd image needs to be told that it needs to unlock your hard disk. To do this we’ll use /etc/crypttab.

Mount everything and get yourself into a chrooted environment.

cryptsetup open /dev/sda3 sda3 # if not already opened
touch /mnt
mount /dev/vg00/root /mnt
mount /dev/vg00/home /mnt/home
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
cd /mnt
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
chroot .

Use blkid to get the encrypted partition’s UUID.

blkid /dev/sda3

Edit your /etc/crypttab.

sda3 UUID=XXX none luks

where XXX is the UUID from blkid.

Alternatively, automate it with this:

echo "sda3 UUID=$(blkid -o value -s UUID /dev/sda3) none luks" >> /etc/crypttab

Use cryptdisks_start to test whether the file is correct, by passing it the mapped device name you want to start e.g.,

cryptdisks_start sda3

Update the initrd image.

update-initramfs -uk all