Skip to content

Instantly share code, notes, and snippets.

@Leniwcowaty

Leniwcowaty/linux-mint-btrfs-fde.md

Last active November 25, 2025 14:50
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Leniwcowaty/4b2c239ca74629cad60d4718f79ff600 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Leniwcowaty/4b2c239ca74629cad60d4718f79ff600 to your computer and use it in GitHub Desktop.
Download ZIP
This is an instruction on how to setup Linux Mint/LMDE with BTRFS and Full Disk Encryption using LUKS the way that the installer does it with LVM
Raw
linux-mint-btrfs-fde.md

Linux Mint and LMDE BTRFS setup guide with Full Disk Encryption using LUKS2

Disclaimer 1

Doing this requires a bit of technical knowledge about filesystems, partitioning and disk labels. If you don't know what UUID is or how to check if your system uses BIOS or UEFI, go learn some more and come back.

Disclaimer 2

Read THE WHOLE instruction first, understand what it does, then try it yourself, first in a VM (I recommend virt-manager). Really, read the whole thing first.

Disclaimer 3

All that is written here, you do at your own risk. I do not take any responsibility for any data or hardware loss (if you somehow manage to damage your hardware...), or any security risks. This workes for me and I feel confident using this, but I am the author. Do your own research, see if it works for you and decide if you want to use it or not. I do not claim this is the best or perfect solution.

Disclaimer 4

I will be using here drives /dev/sda and /dev/sdb. Your drives may (and probably will) be different. Change commands respectively.

Disclaimer 5

It was brought to my attention, that having encrypted data partition and unencrypted SWAP is not very secure, as SWAP can be used as a gateway to bypass the encryption. I have changed the procedure slightly to use ZRAM, which is standard in FDE BTRFS RAID setups (eg. Fedora uses this method). All that is written in Disclaimer 3 is still valid.

What we're trying to achieve?

A Linux Mint/LMDE installation with BTRFS and Full Disk Encryption (FDE) in a way that Mint does out of the box with LVM (only one password prompt).

Step 1 - Partitioning

Boot into a Mint or LMDE live environment and open GParted.

Choose a name for your root container. Since I use LMDE, in this instruction it will be lmde_root.

DELETE ALL THE PARTITIONS THAT CURRENTLY EXIST

Partition your /dev/sda drive as described below:

Disk label: GPT

/dev/sda1:

  • size: 512 MB
  • filesystem: fat32
  • label: ESP
  • flags: boot,esp

/dev/sda2:

  • size: 1024 MB (or 2048 MB if planning to use custom kernels, like xanmod)
  • filesystem: ext4
  • label: boot
  • flags: none

/dev/sda3:

  • size: rest of the disk
  • filesystem: btrfs
  • label: lmde_root
  • flags: none

Save the partitioning and close GParted.

Step 2 - Installation

Start installation wizard and go through it as normal. When it asks where to install the system, choose "Manual partitioning"

Edit the options of partitions you just created as follows:

/dev/sda1:

  • mount point: /boot/efi
  • format: no

/dev/sda2:

  • mount point: /boot
  • format: no

/dev/sda3:

  • mount point: /
  • format: btrfs

Click Next and select to install GRUB on /dev/sda. Rest of the installation proceeds as normal.

DO NOT REBOOT THE PC WHEN IT FINISHES INSTALLING!

Step 3 - Encryption

At this point the installed correctly installed the system, GRUB and created two BTRFS subvolumes - @ for root and @home for home. This is standard practice, supported eg. by Timeshift for in-place snapshots.

We will be using cryptsetup's reencrypt command. First we need to make space for LUKS header. To do that we have to mount the @ subvolume and reduce its size by 32 MB. Open the terminal, go into sudo mode (sudo su) and do as follows:

mount /dev/sda3 -o subvol=@ /mnt
btrfs filesystem resize -32m /mnt
umount /mnt

Next we will encrypt the partition. Choose strong and complicated password, that you will remember - this will be the password you have to type in every time your PC boots. It is recommended that the encryption password is different than user account password.

cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/sda3

You will be first asked to type YES in capital letters to confirm, and then to type in your encryption password twice. The process will take some time, depending on your disk size (for 50 GB in a VM it takes about 2 minutes). The partition is now encrypted and closed.

Step 4 - Final touches, encryption and ZRAM configuration in chroot

Next step is to open the partition/LUKS container with the name you chose in the beginning. In this example it's lmde_root. Yours may be different (the label you gave to /dev/sda3).

cryptsetup luksOpen /dev/sda3 lmde_root

You will be asked for the encryption password. Next we will mount all the partitions, so we can chroot into them. Pay close attention to the partitions/drives, mountpoints and the order of mounting, as this is crucial.

mount /dev/mapper/lmde_root -o subvol=@ /mnt
mount /dev/mapper/lmde_root -o subvol=@home /mnt/home
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc
chroot /mnt /bin/bash

Now we are inside our brand new system. Congrats, we only have a few more steps to go through. First of all, we need to re-extend the filesystem (remember, we shrunk it by 32 MB to fit LUKS header), then we will inform our system, that it has an encrypted partition (giving it the LUKS container name and its UUID, which is different than /dev/sda3 UUID) and should ask as for a password. We will give ourselves 3 tries, before it fails and panics. First we need to find the UUID of the LUKS container lmde_root and then put it in the /etc/crypttab file. The first command will output the UUID, which you then need to paste into the second command where {uuid} is.

btrfs filesystem resize max /
cryptsetup luksUUID /dev/sda3
echo "lmde_root UUID={uuid} none luks,discard,tries=3" >> /etc/crypttab

Next step is to inform GRUB about it, by giving it in turn the UUID of /dev/sda3 partition and again LUKS container name, and also informing it that the root partition is on the LUKS container.

First find the UUID of /dev/sda3 with blkid command. Copy it - you will paste it where {uuid} is. Then create file /etc/default/grub.d/99_fde.cfg and put this in it:

#! /bin/sh
set -e

GRUB_CMDLINE_LINUX="rd.luks.uuid={uuid}"

Save and close. Last step is to install and configure ZRAM. I won't go into the details what it is, tl;dr is that ZRAM is basically SWAP in RAM. To do that we need to enable DNS in chroot, update repos and install systemd-zram-generator, and optionally configure it:

echo "nameserver 1.1.1.1" >> /etc/resolved.conf
apt update
apt install systemd-zram-generator -y

By default zram0 is either RAM / 2 or 4 GB, whichever is smaller. If you want to change this, copy /usr/lib/systemd/zram-generator.conf to /etc/systemd/zram-generator.conf add your config:

echo "zram-size = {your formula or size in MB}" >> /etc/systemd/zram-generator.conf

Normally you'd need systemctl daemon-reload and zramctl for this to take place, but we will be rebooting anyway, so no need for that.

Finally update grub and initramfs:

update-grub
update-initramfs -u

Exit chroot with CTRL+D or exit and unmount all the partitions, EXACTLY IN THIS ORDER. Then close LUKS container.

umount /mnt/dev
umount /mnt/proc
umount /mnt/sys/firmware/efi/efivars
umount /mnt/sys
umount /mnt/home
umount /mnt/boot/efi
umount /mnt/boot
umount /mnt

cryptsetup close lmde_root

Done. Now reboot to your actually installed OS. If everything went right, you should see GRUB menu and after it a nice prompt for lmde_root (or whatever your LUKS contaienr is named) password with Mint logo.

(optional) STEP 5 - Setting up encrypted RAID

First of all, you need a secondary disk. You can add as many disks as you like, following of course requirements of RAID level you want to set up. Here I will be setting up a simple RAID0 for extended disk space with RAID1 for metadata. I will be using one additional disk, this procedure has to be repeated for all the additional disks. For more sophisticated setup or higher RAID levels, you need to do your own research.

First of all, partition the drive. You just need:

  1. GPT partition table
  2. One partition spanning the entire disk, with no filesystem (here it will be /dev/sdb1).

Since my main LUKS container is named lmde_root, the secondary drive's contaner will be named lmde_root_1.

Encrypt the partition the same way you did with the primary /dev/sda3 partition, then open it:

cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/sdb1
cryptsetup luksOpen /dev/sdb1 lmde_root_1

Now add this new partition to your current BTRFS filesystem and balance it, converting data to single and metadata to raid1:

btrfs device add -f /dev/mapper/lmde_root_1 /
btrfs balance start -dconvert=raid0 -mconvert=raid1 /

Then the procedure of informing the system about a new encrypted drive is basically the same as in our root partition:

cryptsetup luksUUID /dev/sdb1
echo "lmde_root_1 UUID={uuid} none luks,discard,tries=3" >> /etc/crypttab

And for /etc/default/grub.d/99_fde.cfg:

#! /bin/sh
set -e

GRUB_CMDLINE_LINUX="rd.luks.uuid={uuid of /dev/sda3} rd.luks.uuid={uuid of /dev/sdb1}"

Regenerate initramfs and update grub, and you're good to go. Only caveat being - now you have to type passwords for both lmde_root and lmde_root_1 on boot.

I hope this helped someone. I spent over a week trying to make this work, learning A LOT about filesystems, partitioning and encryption. Take it, use it and be happy with it!

@jemadux
Copy link

jemadux commented Nov 17, 2025

nice guide ... i followed it to my linux mint installation but good idea to use the arch-install-scripts ... but excellent too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment