This post outlines how to take a blank system and end up with an encrypted EFI-boot LVM-partitioned Linux system. In reality, this isn’t a tutorial and more a note to self not to forget what I did, but perhaps it will benefit you too.
This can be done side-by-side with another system e.g. Windows, but you might need to repair the Windows installation afterwards so it’s aware of the new EFI partition you’ll make below.
Get yourself into a root shell.
sudo su -
Ensure you’re booted in EFI mode.
apt-get install efibootmgr efibootmgr
gpt partition table.
/dev/sda1: A 128MB EFI partition. This will be
/dev/sda2: A 512MB ext2 partition. This will be
/dev/sda3: Fill up the rest of the space with an unformatted partition. This will be LUKS-encrypted, and contain our LVM volumes.
(BIOS adjustments: make it
gpt, and don’t make the EFI partition.)
Encrypt the partition.
cryptsetup luksFormat /dev/sda3
Open it up.
cryptsetup open /dev/sda3 sda3
/dev/mapper/sda3. You can treat this as though it were
/dev/sda3. Effectively, this is now how you refer to what was
Now for the LVM fun.
Create a physical volume on this partition.
pvscan to see your physical volume.
It now needs a volume group that we’ll call
vgcreate vg00 /dev/mapper/sda3
vgscan to see your volume group.
Add logical volumes for root (
/), home (
/home), and swap.
lvcreate -L 10G -n root vg00 lvcreate -L 2G -n swap vg00 lvcreate -l 100%FREE -n home vg00
If you plan on using sleep/hibernate, ensure the swap partition is at least as big as your RAM.
lvscan to see your logical volumes. These can be thought of as partitions. You can access them in two ways.
/dev/vg00/with the names you gave them (e.g.
/dev/mapper/with the volume group (
vg00) prefixing the name you gave them (e.g.
Both of these are just symlinks to
Run the Linux installer. Map it up as follows:
/boot/efi(fat32 or efi). Note that when selecting efi you might not be able to choose a mount point. This is fine.
- Device for bootloader installation:
Finish the installation.
At this point, rebooting won’t give you a working system. The initrd image needs to be told that it needs to unlock your hard disk. To do this we’ll use /etc/crypttab.
Mount everything and get yourself into a chrooted environment.
cryptsetup open /dev/sda3 sda3 # if not already opened touch /mnt mount /dev/vg00/root /mnt mount /dev/vg00/home /mnt/home mount /dev/sda2 /mnt/boot mount /dev/sda1 /mnt/boot/efi cd /mnt mount -t proc proc proc/ mount -t sysfs sys sys/ mount -o bind /dev dev/ chroot .
blkid to get the encrypted partition’s UUID.
sda3 UUID=XXX none luks
XXX is the UUID from
Alternatively, automate it with this:
echo "sda3 UUID=$(blkid -o value -s UUID /dev/sda3) none luks" >> /etc/crypttab
cryptdisks_start to test whether the file is correct, by passing it the mapped device name you want to start e.g.,
Update the initrd image.
update-initramfs -uk all