Installing LMDE6 with full disk encryption using RAID, LUKS, LVM2 and USB unlock on a computer with a UEFI bootloader

Semyon A Mironov

by Semyon A Mironov, 5/2025

This document describes the creation of the following scheme

Disk marking scheme

Table of Contents

Booting from a LIVE-iso

Select booting from a USB/CD image

Select "Start LMDE 6 64-bit"

Start LMDE 6 64-bit

Press e to edit the commands before booting

The kernel’s command-line parameters

Add the nomodeset parameter and press F10 to boot

Add the nomodeset parameter

The kernel’s command-line parameters

quiet and nomodeset

splash

LMDE 6 Desktop live

LMDE 6 Desktop live

Preparing a LIVE system

Open the terminal

LMDE 6 Open the terminal

Switch to the root user

sudo -s

LMDE 6 Switch to the root user

Change the host name

export HOST_NAME="lmde"  # set a variable with a new host name for the operating system to install
hostname "$HOST_NAME"    # change the host name

Check

hostname

Time setup in a LIVE system

dpkg-reconfigure tzdata

Preparing the disks

Creating partitions

List information about block devices

lsblk

LMDE 6 List information about block devices

Save the disk names to variables

SDA="/dev/sda"
SDB="/dev/sdb"

Creating two partitions on SDA for EFI and mirror array

  1. Run the fdisk program for the SDA disk:

    fdisk "${SDA:-/dev/sda}"

  2. Create partitions on the disk by following the following list of commands:

         m # print help
     p # print the partition table
     g # create a new empty GPT partition table
     n # add a new partition No.1
     1 # partition number
       # first sector (2048)
 +100M # last sector
     p # print the partition table
     n # add a new partition No.2
     2 # partition number
       # first sector (206848)
       # last sector
     p # print the partition table
     l # list known partition types
     q # quit from list known partition types
     t # change a partition type No.1
     1 # partition number
     1 # EFI System
     t # change a partition type No.2
     2 # partition number
    42 # Linux RAID
     p # print the partition table
     x # extra functionality (experts only)
     m # print help (for GPT)
     n # change partition name No.1
     1 # partition number
   EFI # new name No.1
     n # change partition name No.2
     2 # partition number
 RAID1 # new name No.2
     p # print the partition table
     r # return to main menu
     p # print the partition table
     w # write table to disk and exit

Creating two partitions on SDB for EFI and mirror array

cat << FDISK | fdisk "${SDB:-/dev/sdb}"
     g # create a new empty GPT partition table
     n # add a new partition No.1
     1

 +100M
     p # print the partition table
     n # add a new partition No.2
     2


     p # print the partition table
     t # change a partition type No.1
     1
     1
     t # change a partition type No.2
     2
    42
     p # print the partition table
     x # extra functionality (experts only)
     n # change partition name No.1
     1
   EFI
     n # change partition name No.2
     2
 RAID1
     p # print the partition table
     r # return to main menu
     p # print the partition table
     w # write table to disk and exit
FDISK

Comments are allowed only when calling commands Spaces at the beginning and end of commands and values are ignored

Creating a mirror array with MDADM

MDADM - Multiple Disk and Device Management

Download lists of new packages

apt update

Installing the mdadm package on a LIVE system

apt install mdadm

Creating a mirror array /dev/md0

mdadm --verbose --create /dev/md0 --level 1 --raid-devices 2 "${SDA:-/dev/sda}2" "${SDB:-/dev/sdb}2"

Checking the RAID array status

watch --interval=1 cat /proc/mdstat

Additional commands for MDADM

Show help

mdadm --help

Display details of an array

mdadm --verbose --detail --scan | grep '^ARRAY'

Save the array configuration

nano /etc/mdadm/mdadm.conf

Stop the array

mdadm --verbose --stop /dev/md0

Assemble a previously created array

mdadm --verbose --assemble --scan

Hotadd subsequent devices to the array

mdadm --verbose /dev/md0 --add /dev/sdc2

Subsequent devices are re-added

mdadm --verbose /dev/md0 --re-add /dev/sde2

Delete super-blocks on the disks from which the array is assembled

mdadm --verbose --zero-superblock /dev/sda2 /dev/sde2

RAID encryption with LUKS

LUKS - Linux Unified Key Setup

Encrypting /dev/md0

cryptsetup --verbose luksFormat --pbkdf pbkdf2 /dev/md0

Unlocking /dev/md0 to /dev/mapper/rootfs

This command unlocks /dev/md0 on /dev/mapper/rootfs

cryptsetup --verbose luksOpen /dev/md0 rootfs

Additional commands for LUKS

Show help

cryptsetup --help

Close device (remove mapping)

cryptsetup close /dev/mapper/rootfs

Show device status

cryptsetup status /dev/mapper/rootfs

Dump LUKS partition information

cryptsetup luksDump /dev/md0

Add key to LUKS device

cryptsetup luksAddKey /dev/md0 [<new key file>]

Changes supplied key or key file of LUKS device

cryptsetup luksChangeKey /dev/md0 <key slot>

Removes supplied key or key file from LUKS device

cryptsetup luksRemoveKey /dev/md0 [<new key file>]

Wipes key with number <key slot> from LUKS device

cryptsetup luksKillSlot /dev/md0 <key slot>

Creating LVM

LVM - Logical volume manager

Initializing /dev/mapper/rootfs to use LVM

pvcreate --verbose /dev/mapper/rootfs

Display various attributes of physical volume(s)

pvdisplay

or display information about physical volumes

pvs

Creating a volume group os on /dev/mapper/rootfs

vgcreate --verbose os /dev/mapper/rootfs

Display volume group information

vgdisplay

or display information about volume groups

vgdisplay

Creating the boot logical volume

lvcreate --verbose --size 1G -n boot os

Creating the root logical volume

lvcreate --verbose --size 50G -n root os

Creating the home logical volume

lvcreate --verbose --extents 100%FREE -n home os

Display information about a logical volume

lvdisplay

or display information about logical volumes

lvs

Additional commands for LVM

Deactivation/activation LVM

  1. Deactivating Volume Groups:

    vgchange --verbose --activate n os

  2. Activating Volume Groups:

    vgchange --verbose --activate y os

Rename LVM

  1. Rename a logical volume:

    lvrename --verbose os root linux

    or:

    lvrename --verbose /dev/os/root linux

  2. Rename a volume group:

    vgrename --verbose os sys

Remove LVM

  1. Remove logical volume(s):

    lvremove --verbose /dev/os/boot
lvremove --verbose /dev/os/root
lvremove --verbose /dev/os/home

    or remove all logical volumes in the volume group:

    lvremove --verbose os

  2. Remove volume group(s):

    vgremove --verbose os

  3. Remove LVM label(s) from physical volume(s):

    pvremove --verbose /dev/mapper/rootfs

Creating a file systems

  1. Format the EFI partition:

    mkfs.fat -v -F 32 -n EFI "${SDA:-/dev/sda}1"

    /dev/sdb1 - do not format

  2. Format the boot partition:

    mkfs.ext2 -v -L boot /dev/mapper/os-boot

  3. Format the root partition:

    mkfs.xfs -L root /dev/mapper/os-root

  4. Format the home partition:

    mkfs.xfs -L home /dev/mapper/os-home

    Additional commands for mkfs

    Remove a file system

    dd if=/dev/zero of=/dev/sda1 bs=512 count=1 conv=notrunc

Installing the LMDE operating system

Mounting ISO image

  1. Create a directory for mounting ISO image:

    mkdir --verbose /source

  2. Mount the ISO image:

    mount --verbose --options loop --types squashfs /run/live/medium/live/filesystem.squashfs /source

Mounting root partition

  1. Create a directory to mount the root partition of the future LMDE operating system:

    mkdir --verbose /target

  2. Mount the root (/) partition:

    mount --verbose /dev/mapper/os-root /target

  3. Create directories to mount the boot and home partitions:

    mkdir --verbose /target/{boot,home}

  4. Mount the home partition:

    mount --verbose /dev/mapper/os-home /target/home

  5. Mount the boot partition:

    mount --verbose /dev/mapper/os-boot /target/boot

  6. Create a directory to mount the EFI partition:

    mkdir --verbose /target/boot/efi

  7. Mount the EFI partition:

    mount --verbose "${SDA:-/dev/sda}1" /target/boot/efi

Copying system files

LMDE Copying system files

  1. Copy the operating system files from the ISO image to the root partition:

    rsync --verbose --archive /source/ /target/

  2. Copy the local domain name system configuration file:

    cp -vf /etc/resolv.conf /target/etc/

    Check

    cat /target/etc/resolv.conf

Unmount ISO image

umount --verbose /source

Configuring the LMDE operating system

Entering the system

LMDE restart system

  1. Mount the system directories of the LIVE system to the root partition of the future LMDE operating system:

    for FS in /proc /run /tmp /sys /sys/firmware/efi/efivars /dev /dev/shm /dev/pts
do
    mount --verbose --bind "$FS" "/target$FS"
done

    --bind - mount a subtree somewhere else

  2. Make /target the root directory:

    chroot /target

Configuring locale

LMDE Language

dpkg-reconfigure locales
cat <<LOCALE > /etc/default/locale
#  File generated by update-locale
LC_CTYPE="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"
LOCALE

Check

cat /etc/default/locale

Configuring time

LMDE Timezone

dpkg-reconfigure tzdata

Configuring keyboard

LMDE Keyboard layout

dpkg-reconfigure keyboard-configuration

Editing the /etc/hostname file

echo "${HOST_NAME:-lmde}" > /etc/hostname

Check

cat /etc/hostname

Editing the /etc/hosts file

Save a text file that contains a database of domain names and is used when translating them to network host addresses

cat <<HOSTS > /etc/hosts
127.0.0.1   localhost
127.0.1.1   ${HOST_NAME:-lmde}

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
HOSTS

Check

cat /etc/hosts

Editing the /etc/fstab file

  1. Get UUID of the system partitions:

     EFI_UUID="$(blkid --match-tag UUID --output value "${SDA:-/dev/sda}1")"
BOOT_UUID="$(blkid --match-tag UUID --output value /dev/mapper/os-boot)"
ROOT_UUID="$(blkid --match-tag UUID --output value /dev/mapper/os-root)"
HOME_UUID="$(blkid --match-tag UUID --output value /dev/mapper/os-home)"

    Check

    echo " EFI_UUID: $EFI_UUID"
echo "BOOT_UUID: $BOOT_UUID"
echo "ROOT_UUID: $ROOT_UUID"
echo "HOME_UUID: $HOME_UUID"

  2. Save the mounting points of the system partitions:

    cat <<FSTAB > /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system>                           <mount point>  <type> <options> <dump> <pass>
proc                                      /proc          proc   defaults  0      0
UUID=$ROOT_UUID /              xfs    defaults  0      1
UUID=$HOME_UUID /home          xfs    defaults  0      0
UUID=$BOOT_UUID /boot          ext2   defaults  0      1
UUID=$EFI_UUID                            /boot/efi      vfat   defaults  0      1
FSTAB

    Check

    cat /etc/fstab

Set the root user password

passwd root

Creating a user

LMDE user

  1. Set variables for use in subsequent commands:

    USER_NAME="sam"                # name of the user to be created
FULL_NAME="Semyon A Mironov"   # full name of the user to be created

  2. Create a user:

    useradd --create-home ${FULL_NAME:+--comment "$FULL_NAME"} --shell /bin/bash -G adm,audio,bluetooth,cdrom,dialout,dip,fax,floppy,lpadmin,netdev,plugdev,scanner,sudo,tape,users,video "$USER_NAME"

    LMDE User and groups

    Delete a user

    deluser --remove-home "$USER_NAME"

  3. Set user passwords:

    passwd "$USER_NAME"

Configuring LUKS with password unlock

Editing the /etc/crypttab file

  1. Get UUID of LUKS device:

    LUKS_UUID="$(cryptsetup luksUUID /dev/md0)"

    Check

    echo "LUKS_UUID: $LUKS_UUID"

  2. Save configuration for encrypted block devices:

    cat <<CRYPTTAB > /etc/crypttab
# <target name> <source device>                           <key file> <options>
rootfs          UUID=$LUKS_UUID none       luks,discard
CRYPTTAB

    Check

    cat /etc/crypttab

Configuring LUKS with USB unlock

Creating three partitions on a USB drive for EFI, boot and user data

  1. Insert the USB drive into the host and define it in the lsblk output

  2. Set variables for use in subsequent commands:

    USB_DRIVE="/dev/sdc"             # USB drive from the `lsblk` output
USB_DRIVE_MOUNT_POINT="/media"   # Specify an existing empty directory for connecting the USB drive
CRYPTTAB_KEY="my_key.lek"        # Name of the key file to create on the USB drive
LUKS_SCRIPT="/bin/luksunlockusb" # Name and path to the script to unlock using CRYPTTAB_KEY

    Check

    echo "            USB_DRIVE: ${USB_DRIVE:-/dev/sdc}"
echo "USB_DRIVE_MOUNT_POINT: $USB_DRIVE_MOUNT_POINT"
echo "         CRYPTTAB_KEY: $CRYPTTAB_KEY"
echo "          LUKS_SCRIPT: $LUKS_SCRIPT"

  3. Creat partitions on USB drive:

    cat << FDISK | fdisk "${USB_DRIVE:-/dev/sdc}"
     g # create a new empty GPT partition table
     n # add a new partition No.1
     1

 +100M
     p # print the partition table
     n # add a new partition No.2
     2

   +1G
     p # print the partition table
     n # add a new partition No.3
     3


     p # print the partition table
     t # change a partition type No.1
     1
     1
     p # print the partition table
     x # extra functionality (experts only)
     n # change partition name No.1
     1
EFIUSB
     p # print the partition table
     n # change partition name No.2
     2
BOOTUSB
     p # print the partition table
     n # change partition name No.3
     3
   USB
     p # print the partition table
     r # return to main menu
     p # print the partition table
     w # write table to disk and exit
FDISK

Creating a file systems on USB drive

  1. Format the EFIUSB partition:

    mkfs.fat -F 32 -v -n EFIUSB "${USB_DRIVE:-/dev/sdc}1"

  2. Format the BOOTUSB partition:

    mkfs.ext2 -v -L BOOTUSB "${USB_DRIVE:-/dev/sdc}2"

  3. Format the USB partition:

    mkfs.exfat --volume-label USB "${USB_DRIVE:-/dev/sdc}3"

Mounting USB drive

  1. Mount the BOOTUSB partition:

    mount --verbose "${USB_DRIVE:-/dev/sdc}2" "$USB_DRIVE_MOUNT_POINT"

  2. Create a directory to mount the EFIUSB partition:

    mkdir --verbose "$USB_DRIVE_MOUNT_POINT/efi"

  3. Mount the EFIUSB partition:

    mount --verbose "${USB_DRIVE:-/dev/sdc}1" "$USB_DRIVE_MOUNT_POINT/efi"

Creating LUKS encryption key

  1. Change the shell working directory:

    cd "$USB_DRIVE_MOUNT_POINT/efi"
pwd

  2. Create a 256 byte key file with random data (.lek = LUKS Encryption Key):

    dd if=/dev/urandom bs=1 count=256 > "$CRYPTTAB_KEY"

    The contents of the key file can be anything, for example, a photo

  3. Add key to LUKS device:

    cryptsetup --verbose luksAddKey /dev/md0 "$CRYPTTAB_KEY"

  4. Go back to the previous directory:

    cd -
pwd

Creating a script to search for the LUKS encryption key

  1. Get UUID of LUKS device:

    LUKS_UUID="$(cryptsetup luksUUID /dev/md0)"

    Check

    echo "LUKS_UUID: $LUKS_UUID"

  2. Create a script that will search for the key on USB drive during boot

    Script for any USB drive

    cat <<SCRIPT > "$LUKS_SCRIPT"
#!/bin/sh
sleep 3
test -d /mnt || {
    test ! -e /mnt && mkdir /mnt 2>/dev/null
} &&
for USB_UUID in /dev/disk/by-uuid/*
do
    if mount "\$USB_UUID" /mnt
    then
        for CRYPTTAB_KEY_FILE in "\$CRYPTTAB_KEY" "\$CRYPTTAB_KEY.lek"
        do
            test -f "/mnt/\$CRYPTTAB_KEY_FILE" || continue
            cat     "/mnt/\$CRYPTTAB_KEY_FILE" || break
            umount /mnt || :
            exit
        done
        umount /mnt || :
    fi
done 2>/dev/null || :

# Please comment out this line if you don't want to ask for a password
/lib/cryptsetup/askpass "Please unlock disk (\$CRYPTTAB_NAME): "
SCRIPT

    Check

    cat "$LUKS_SCRIPT"

    Script for one specific USB drive

    1. Get UUID of USB device:

      USB_UUID="$(blkid --match-tag UUID --output value "${USB_DRIVE}1")"

      Check

      echo "USB_UUID: $USB_UUID"

    2. Save script:

      cat <<SCRIPT > "$LUKS_SCRIPT"
#!/bin/sh
sleep 3
test -e "/dev/disk/by-uuid/$USB_UUID" && {
    test -d /mnt || {
        test ! -e /mnt && mkdir /mnt
    } &&
    mount "/dev/disk/by-uuid/$USB_UUID" /mnt && {
        for CRYPTTAB_KEY_FILE in "\$CRYPTTAB_KEY" "\$CRYPTTAB_KEY.lek"
        do
            test -f "/mnt/\$CRYPTTAB_KEY_FILE" || continue
            cat     "/mnt/\$CRYPTTAB_KEY_FILE" || break
            umount /mnt || :
            exit
        done
        umount /mnt || :
    }
} 2>/dev/null || :

# Please comment out this line if you don't want to ask for a password
/lib/cryptsetup/askpass "Please unlock disk (\$CRYPTTAB_NAME): "
SCRIPT

      Check

      cat "$LUKS_SCRIPT"

    WARNING: If you decide to comment out the password request string in the script, then make sure to perform a pre-test using a key from a USB storage device. Otherwise, you will lose access to the encrypted data.

  3. Make the script executable:

    chmod --verbose u+rwx,go+rx "$LUKS_SCRIPT"

Editing the /etc/crypttab file to use a script

cat <<CRYPTTAB > /etc/crypttab
# <target name> <source device>                           <key file> <options>
rootfs          UUID=$LUKS_UUID $CRYPTTAB_KEY luks,discard,keyscript=/bin/luksunlockusb
CRYPTTAB

Check

cat /etc/crypttab

Update list of available packages

apt update

Configuring MDADM

Installing the mdadm package

apt install mdadm

Saving the array configuration

  1. Display details of an array:

    ARRAY="$(mdadm --verbose --detail --scan | grep '^ARRAY')"

    Check

    echo "$ARRAY"

  2. Save the array configuration:

    sed "s|^ARRAY.*$|$ARRAY|" -i /etc/mdadm/mdadm.conf

    Check

    cat /etc/mdadm/mdadm.conf

Generate an initramfs image

Configuring GRUB

Installing the grub package

apt install grub-efi

Configure grub to use a encrypted disk

echo 'GRUB_ENABLE_CRYPTODISK=y' >> /etc/default/grub

Installing grup on SDA

LMDE Configure the boot menu

grub-install --verbose --locales=en@quot "${SDA:-/dev/sda}"

Update grub

Re create a grub config file based on your disk partitioning schema

update-grub

Installing grup on USB drive

Follow this step if you have completed the steps described in step Configuring LUKS with USB unlock

  1. Creating the grub/fonts/ directory on a USB drive:

    mkdir --verbose --parents "$USB_DRIVE_MOUNT_POINT/grub/fonts/"

  2. Copying the UbuntuMono16.pf2 font to USB drive:

    cp --verbose /boot/grub/fonts/UbuntuMono16.pf2 "$USB_DRIVE_MOUNT_POINT/grub/fonts/"

  3. Umount the EFI partition:

    umount --verbose "${SDA:-/dev/sda}1"

  4. Umount the boot partition:

    umount --verbose /dev/mapper/os-boot

  5. Umount the EFIUSB partition:

    umount --verbose "${USB_DRIVE:-/dev/sdc}1"

  6. Umount the BOOTUSB partition:

    umount --verbose "${USB_DRIVE:-/dev/sdc}2"

  7. Mount the BOOTUSB partition:

    mount --verbose "${USB_DRIVE:-/dev/sdc}2" /boot

  8. Mount the EFIUSB partition:

    mount --verbose "${USB_DRIVE:-/dev/sdc}1" "/boot/efi"

  9. Installing grup on USB drive:

    grub-install --verbose --locales=en@quot "${USB_DRIVE:-/dev/sdc}"

  10. Update grub on USB drive:

    update-grub

Cloning of the EFI partition from SDA on SDB

dd if="${SDA:-/dev/sda}1" of="${SDB:-/dev/sdb}1" bs=64K status=progress

Edit the EFI boot menu

  1. Print additional information:

    efibootmgr --verbose

  2. Delete bootnum:

    efibootmgr --delete-bootnum --bootnum 0000

    0000 - bootloader number

    Remove all unnecessary bootloaders

  3. Add bootorder from a USB drive:

    Follow this step if you have completed the steps described in step Configuring LUKS with USB unlock

    efibootmgr --create --disk "${USB_DRIVE:-/dev/sdc}" --part 1 --label "usbkey" --loader /EFI/debian/shimx64.efi

    Note: option --label "usbkey", where "usbkey" is an arbitrary bootloader name

  4. Add bootorder from a SDA and SDB drives:

    efibootmgr --create --disk "${SDA:-/dev/sda}" --part 1 --label "Disk1" --loader /EFI/debian/shimx64.efi
efibootmgr --create --disk "${SDB:-/dev/sdb}" --part 1 --label "Disk2" --loader /EFI/debian/shimx64.efi

    Note: option --label "Disk1", where "Disk1" is an arbitrary bootloader name

Removing packages

LMDE Removing live configuration

Remove packages and their system-wide configuration files

apt purge live-config* live-installer* live-boot* live-tools*

Reboot the machine

LMDE restart system

  1. Exit the chroot environment:

    exit

  2. Reboot the machine:

    shutdown --reboot now

Installing LMDE to nvme mdadm raid

update-initramfs is disabled (live system is running without media mounted on /run/live/medium)

Using A Live CD/USB To Fix Your Current System

Best order of raid lvm and luks

Encrypted Storage with LUKS, RAID and LVM2

LVM-HOWTO

© 2025 mgmsam.pro. Все права защищены.