This is an instruction on how to setup Linux Mint/LMDE with BTRFS RAID and Full Disk Encryption using LUKS the way that the installer does it with LVM

Disclaimer 1

Doing this requires a bit of technical knowledge about filesystems, partitioning and disk labels. If you don’t know what UUID is or how to check if your system uses BIOS or UEFI, go learn some more and come back.

Disclaimer 2

Read THE WHOLE instruction first, understand what it does, then try it yourself, first in a VM (I recommend virt-manager). Really, read the whole thing first.

Disclaimer 3

All that is written here, you do at your own risk. I do not take any responsibility for any data or hardware loss (if you somehow manage to damage your hardware...), or any security risks. This workes for me and I feel confident using this, but I am the author. Do your own research, see if it works for you and decide if you want to use it or not. I do not claim this is the best or perfect solution.

Disclaimer 4

I will be using here drives /dev/sda and /dev/sdb. Your drives may (and probably will) be different. Change commands respectively.

---

What we’re trying to achieve?

A Linux Mint/LMDE installation with BTRFS RAID and Full Disk Encryption (FDE) in a way that Mint does out of the box with LVM (only one password prompt).

Step 1 - Partitioning

Boot into a Mint or LMDE live environment and open GParted.

Choose a name for your root container. Since I use LMDE, in this instruction it will be lmde_root.

DELETE ALL THE PARTITIONS THAT CURRENTLY EXIST

Partition your /dev/sda drive as described below:

Disk label: GPT

/dev/sda1:

• size: 512 MB

• filesystem: fat32

• label: ESP

• flags: boot,esp /dev/sda2:

• size: 1024 MB

• filesystem: ext4

• label: boot

• flags: none /dev/sda3:

• size:

• <= 2 GB RAM - 3x RAM

• 2 GB - 8 GB RAM - 2x RAM

• 8 GB - 64 GB RAM - 1.5x RAM

• > 64 GB - 1x RAM

• filesystem: linux-swap

• label: swap

• flags: swap /dev/sda4:

• size: rest of the disk

• filesystem: btrfs

• label: lmde_root

• flags: none Save the partitioning and close GParted.

Step 2 - Installation

Start installation wizard and go through it as normal. When it asks where to install the system, choose “Manual partitioning”

Edit the options of partitions you just created as follows:

/dev/sda1:

• mount point: /boot/efi

• format: no /dev/sda2:

• mount point: /boot

• format: no /dev/sda3:

• mount point: swap

• format: no /dev/sda4:

• mount point: /

• format: btrfs Click Next and select to install GRUB on /dev/sda. Rest of the installation proceeds as normal.

DO NOT REBOOT THE PC WHEN IT FINISHES INSTALLING!

Step 3 - Encryption

At this point the installed correctly installed the system, GRUB and created two BTRFS subvolumes - @ for root and @home for home. This is standard practice, supported eg. by Timeshift for in-place snapshots.

We will be using cryptsetup’s reencrypt command. First we need to make space for LUKS header. To do that we have to mount the @ subvolume and reduce its size by 32 MB. Open the terminal, go into sudo mode (sudo su) and do as follows:

mount /dev/sda4 -o subvol=@ /mnt
btrfs filesystem resize -32m /mnt
umount /mnt

Next we will encrypt the partition. Choose strong and complicated password, that you will remember - this will be the password you have to type in every time your PC boots. It is recommended that the encryption password is different than user account password.

cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/sda4

You will be first asked to type YES in capital letters to confirm, and then to type in your encryption password twice. The process will take some time, depending on your disk size (for 50 GB in a VM it takes about 2 minutes). The partition is now encrypted and closed.

Step 4 - Final touches, encryption configuration in chroot

Next step is to open the partition/LUKS container with the name you chose in the beginning. In this example it’s lmde_root. Yours may be different (the label you gave to /dev/sda4).

cryptsetup luksOpen /dev/sda4 lmde_root

You will be asked for the encryption password. Next we will mount all the partitions, so we can chroot into them. Pay close attention to the partitions/drives, mountpoints and the order of mounting, as this is crucial.

mount /dev/mapper/lmde_root -o subvol=@ /mnt
mount /dev/mapper/lmde_root -o subvol=@home /mnt/home
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc
chroot /mnt /bin/bash

Now we are inside our brand new system. Congrats, we only have a few more steps to go through. First of all, we need to re-extend the filesystem (remember, we shrunk it by 32 MB to fit LUKS header), then we will inform our system, that it has an encrypted partition (giving it the LUKS container name and its UUID, which is different than /dev/sda4 UUID) and should ask as for a password. We will give ourselves 3 tries, before it fails and panics. First we need to find the UUID of the LUKS container lmde_root and then put it in the /etc/crypttab file. The first command will output the UUID, which you then need to paste into the second command where {uuid} is.

btrfs filesystem resize max /
cryptsetup luksUUID /dev/sda4
echo "lmde_root UUID={uuid} none luks,discard,tries=3" >> /etc/crypttab

Next step is to inform GRUB about it, by giving it in turn the UUID of /dev/sda4 partition and again LUKS container name, and also informing it that the root partition is on the LUKS container.

First find the UUID of /dev/sda4 with blkid command. Copy it - you will paste it where {uuid} is. Then create file /etc/default/grub.d/99_fde.cfg and put this in it:

#! /bin/sh
set -e

GRUB_CMDLINE_LINUX="cryptdevice=UUID={uuid}:lmde_root root=/dev/mapper/lmde_root"

Save and close. Then update grub and initramfs:

update-grub
update-initramfs -u

Exit chroot with CTRL+D or exit and unmount all the partitions, EXACTLY IN THIS ORDER. Then close LUKS container.

umount /mnt/dev
umount /mnt/proc
umount /mnt/sys/firmware/efi/efivars
umount /mnt/sys
umount /mnt/home
umount /mnt/boot/efi
umount /mnt/boot
umount /mnt

cryptsetup close lmde_root

Done. Now reboot to your actually installed OS. If everything went right, you should see GRUB menu and after it a nice prompt for lmde_root (or whatever your LUKS contaienr is named) password with Mint logo.

(optional) STEP 5 - BTRFS RAID

My reasons for BTRFS were twofold:

1. In-place snapshots

2. Ability to use multiple drives in software RAID Here we will configre that. You have multiple options, and if you’re going to use them, you know how RAID works. But for simplicity we will just reduce it to two options:

3. RAID0 - use two or more disks as one, big disk

4. RAID1 - use two (or multiplies of 2) disks as mirrors, allowing for 1 disk failure without losing any data I will assume the second disk to be /dev/sdb. Yours may differ.

First we need to partition it. Use whatever you want, GParted, fdisk, cfdisk. Partition as follows:

Disk label: GPT

/dev/sdb1:

• size: entire disk
• filesystem: no filesystem
• label: no
• flags: no Then we will add this new partition into our BTRFS filesystem and balance the data according to the RAID level we choose. In terminal:

btrfs device add /deb/sdb1 / -f

# For RAID0
btrfs balance start -mconvert=raid1 -dconvert=single /

# For RAID1
btrfs balance start -mconvert=raid1 -dconvert=raid1 /

Reboot and done. Everything should be now up and running. You’re now rocking a BTRFS powered Mint with RAID and FDE.

---

I hope this helped someone. I spent over a week trying to make this work, learning A LOT about filesystems, partitioning and encryption. Take it, use it and be happy with it!