Howto install LMDE on a resizable encrypted drive


Current LMDE installers currently (as of early 2016)

  • do not support headless operation
  • install only to "normal" drive partitions

This project attempts to make it easier for users to install LMDE

  1. headlessly
  2. onto resizable "volumes", currently using LVM2
  3. onto encrypted partitions, currently using LUKS

until such time as the LMDE team can support this functionality, and perhaps to enable them to do so. (My guess is that, the more we as a community can do to solve this problem, the more likely it becomes that the LMDE team will takeover maintenance.)

Branch= master should currently allow the user to choose either, both, or none (i.e., to just run the character-mode LMDE installer) of LVM2 and LUKS, but that has not been tested. The following process has been most recently tested with a MATE LMDE2/Betsy installing both LVM2 and LUKS. Other news regarding this project may be available on the comment thread for this LMDE2 tutorial.


If you have a bug to report or feature to request that is specific to this code/project, please first check previously-created project issues to see if someone else has already reported/requested. Then,

  • if there is a relevant current issue: please contribute a comment to it, or just follow the issue.
  • if there is not a relevant current issue: please create a new issue.

For more general comments, complaints, or questions, consider posting to this LMDE2 tutorial. Note that the LMDE2 tutorial also contains information about and links to other manual and automated options for providing this functionality.


Currently this install

This project currently includes 3 examples of properties files:

Feel free to fork this project to send us a pull request with your properties file! Note however that will want to source at runtime, so be sure to make your properties file have that name at runtime. (Or edit the script, but I deprecate that.)



  • setup device: the computer on which you create your install media (below) and edit your install script and properties.

  • target device: the computer on which you install LUKS+LVM2+LMDE using your install media, script, and properties (below).

  • install medium: drive or disc containing your Live LMDE installer (e.g., LiveCD, LiveUSB). The following instructions assume you will use an LMDE-enabled LiveUSB (as created by, e.g., these instructions), and that

    • your install media mounts on your setup device at /media/you/LMDEliveUSB/
    • your install media mounts on your target device at boottime at a different path than it mounts on your setup device. What exactly that boottime mount path will be depends on details of your installer that are above the level of this discussion. Here, I will assume that the path is like /media/mint/LMDEliveUSB/ (though it may be very different, e.g., /lib/live/mount/medium/).
    • at boottime, your target device mounts your install media read-only. (This is standard.)
  • install script: or similar

  • install properties: something like, but tuned to your usecase

  • install dir: a directory/folder (aka "dir") on your install medium for your script and properties. For this discussion, I'll call that dir

    • as mounted on your setup device: /media/you/LMDEliveUSB/scripts/
    • as boottime-mounted on your target device: /media/mint/LMDEliveUSB/scripts/
    • ignoring context: just .../scripts/
  • enhanced LMDE LiveUSB: what you produce from input== LMDE LiveUSB using the instructions in the following section.

enhance installer

  1. Use your setup device to create your LMDE LiveUSB.

  2. On your setup device, create your install dir.

  3. Copy the script to your install dir. You should not need to edit the script.

  4. Copy the properties to a new file on your install dir, and edit that.

    • I will assume (for documentation below) that you name your properties file
    • In order to choose appropriate de/encryption properties, you should first benchmark your target device.

I will refer to what you have just created as an enhanced LMDE LiveUSB.

prepare target device

check target RAM

Though the subject of swap space is controversial, there is wide agreement that the size of your swap partition should (c.p.) be related to your RAM size. The install script defaults to a swap partition size that is sizeof(RAM) + 100 MB: if that works for you, then you can skip the rest of this section. Otherwise:

To determine your target device's physical RAM size, boot it, and run the following from a terminal:

sudo dmidecode -t memory | fgrep -ie 'size:'

(Note: you will probably need to boot LMDE or another full distro to get dmidecode. The smaller set of utilities provided on the ISOs of tools like (empirically) GParted may not include dmidecode.) This will give you results like the following (from a box with 4 RAM banks, only 2 installed):

Maximum Memory Module Size: 16384 MB
Maximum Total Memory Size: 65536 MB
Installed Size: 2048 MB (Single-bank Connection)
Enabled Size: 2048 MB (Single-bank Connection)
Installed Size: Not Installed
Enabled Size: Not Installed
Installed Size: 2048 MB (Single-bank Connection)
Enabled Size: 2048 MB (Single-bank Connection)
Installed Size: Not Installed
Enabled Size: Not Installed
Size: 2048 MB
Size: No Module Installed
Size: 2048 MB
Size: No Module Installed

Add the reported sizes (or Enabled Sizes, but some BIOSes empirically don't report that) to get (in this case) 4096 MB. To check your computation, run

fgrep -e 'MemTotal:' /proc/meminfo

in the same shell: the value it reports should not be more than the value you compute from dmidecode. FWIW, with the same box, I got

MemTotal:        3988616 kB

so the dmidecode-reported RAM size==4096 MB seems reasonable. I can therefore use that value to compute a swap partition size, and use that swap size to set the properties var== swap_size.

partition target drive

You will probably also want to repartition (or partition, if new) the target device drive onto which you intend to install LUKS+LVM2+LMDE. For this example I will assume

  1. the drive's device name== /dev/sda , specified by var== grub_device in your properties . You might wish instead to specify the drive by UUID, or by label, or specify another drive by device name, etc.

  2. you want to re/partition the drive to have 2 partitions:

    • 1 small unencrypted, unmanaged boot partition. I will further assume that you want size(boot partition)==500 MB.
    • 1 large partition that will be encrypted (by LUKS) and managed (by LVM2) to consume the rest of the drive space.

Given those assumptions, you must

  • create a 500 MB boot partition in /dev/sda1
  • give all remaining space to a single partition== /dev/sda2

unless you have done that already. If not, you can re/partition with various tools, including GParted and fdisk. Note that all the partition tools of which I'm aware require root, so run them using sudo.

In your properties, you must specify your boot_device and managed_device, so be sure to record the names created when you re/partition. Note that you should be able to specify your boot_device and managed_device by UUID, label, or device name, but only specification by device name has been tested.


GParted is an actively developed, user-friendly GUI that is capable of doing this simple task, as well as much more complex partitionings. I recommend its use, especially to beginners, as it can prevent (and often rollback) unfortunate accidents. Fortunately it is also included on bootable installers for most Debian (and some other) distros, including LMDE; you can also make it separately bootable on your LMDE LiveUSB. Note that

  1. If you start GParted from your LMDE image (i.e., you use GRUB to boot to LMDE from your LiveUSB), you should do so by

    1. Open a Terminal (aka console)
    2. Run sudo gparted &

    This will allow you to better track and report any errors that might occur. (You can also start GParted from your window manager's start menu.)

  2. GParted may show errors when it attempts to access your LiveUSB. E.g., if you are booting a single-hard-drive laptop from your LiveUSB, the hard drive will be /dev/sda and your USB drive will be /dev/sdb, and you may get several repeated error dialogs like

    Error fsyncing/closing /dev/sdb1: Remote I/O error

    Just hit button= Ignore: you don't want to partition your LiveUSB!

  3. details of GParted are beyond the scope of this article (feel free to edit and make a pull request!), but you can get much more information about using GParted here.


fdisk is an aging but capable partition tool that runs from the commandline. It is not user-friendly and therefore not recommended for beginners. That being said, fdisk

  • remains included on bootable installers for virtually every Linux distro
  • is easy to mis/use

so an fdisk run for our example is given here.

  1. Boot your target device with your enhanced LMDE LiveUSB.

  2. Open a console and do

    sudo fdisk /dev/sda [hit Enter]
    o [Enter]
    n [Enter]
    +500M [Enter]
    n [Enter]
    w [Enter]

run installer

  1. Boot your appropriately-partitioned target device from your enhanced LMDE LiveUSB.

  2. Ensure that the booted OS on your target device is configured to

    1. provide networking. Your installer will eventually need to download packages.
    2. not disruptively manage power. Use provided power-management configuration tools to ensure that it does not, e.g., sleep on idle.
    3. not disruptively lock. Use provided tools (typically for screensaver configuration) to ensure that it does not, e.g., lock input on idle.
  3. Run the script with your properties: using example paths given above,

    pushd /media/mint/LMDEliveUSB/scripts/
    sudo ./ ./
  4. Interact with the script: e.g.,

    • give password for encryption when prompted (twice the same)
    • give password for decryption when prompted (once)
  5. Wait a bit for this script to setup your partitions and to start the the LMDE installer, then interact with the non-graphical version of LMDE installer. You will provide the same information as with the GUI installer to which you might be more accustomed, but inside the terminal. (A blast from the past !-)

  6. When the script completes, you are back at the command line. Shut down your device (e.g., with sudo shutdown -Ph now) and remove the install media (easier to do with LiveUSBs than LiveCDs at this point), then restart your device.

  7. First thing to do on restart: check your mounts! Open a terminal, and run (as a normal user)

    df -h
    cat /etc/fstab

notes on testing

power management

If installing on a laptop, you should probably turn power management off ASAP, so you can close its lid without disrupting the install (by, e.g., {sleep, suspend}ing). Whatever your target device, you should probably disable screensavers and input locks to prevent

  • disrupting the install
  • inability to update running screensavers or input-management code

undo install

If testing the default configuration (2 partitions, 1st=="normal" /boot, 2nd==managed) you can easily undo a failed install by deleting and recreating the partitions with GParted or fdisk. E.g., in GParted:

  1. Select the 2nd partition. By doing them in reverse order, you will be able to auto-recover your initial size settings (without re-entering them).
    1. Click button= Delete from the toolbar.
    2. Click button= New from the toolbar.
    3. Enter partition label from your properties (e.g., LUKS_plus_LVM2), take other defaults.
    4. Click button= Apply from the toolbar.
  1. Repeat for the 1st partition (but changing the partition label to, e.g., boot).

Note however that you will not want to boot GParted from your enhanced LMDE LiveUSB just to do this. Instead,

  1. boot to LMDE
  2. configure power management
  3. open a terminal, and run sudo gparted &
  4. perform the above workflow
  5. run the installer


  1. Move these TODOs to this project's Issues.

  2. Need real testcases! All my testing to date has been on 2 boxes with very similar properties. Need to, e.g.,

    • test with defective properties
    • test restart on broken installs
  3. both script and properties: use "real bash booleans" (i.e., /bin/false and /bin/true)

  4. both script and properties: support option to take username and hostname from commandline (so as to not hafta expose them in the properties file).

  5. test {retval, errorcode}s from all "real" calls (i.e., not messaging or trivial assignments), except

    • (possibly) cryptsetup luksFormat: hangs if teed, may be resistant to eval

    • cryptsetup luksClose near end of Install_filesystems: produces lots of fails that seem to have no effect on target device, e.g.

      device-mapper: remove ioctl on LUKS_plus_LVM2 failed: Device or resource busy
  6. ensure long-running operations have progress controls (e.g., copying read-only filesystem)

  7. create_LMDE_liveUSB.rst: instruct user how to create a non-journaling filesystem that is also not ext2. Consider adapting these suggestions: basically

    • mke2fs -t ext4 -O ^has_journal /dev/whatever

    Probably don't also wanna do tune2fs -E mount_opts=ro /dev/whatever since the user would hafta remember to turn that off when adding new ISOs.