Calamares is the graphical installation program that you’ll most likely use to install many popular and not-so-popular Linux distributions. That’s because its development is not tied to a specific distribution and adoption by desktop distributions has been encouraging.
In this article, you’ll learn how to use its disk encryption feature to enhance the physical security posture of a supported Linux distribution. And we’ll look at how to use that feature when a Linux distribution is being installed in standalone mode and also when it’s being installed alongside Windows 10 in dual-boot setup.
The images used in this article were taken from test installations of Manjaro 16.10 in standalone mode in a virtual environment, and from a dual-boot setup between Manjaro 16.10 KDE and Windows 10 on a Lenovo G50 laptop.
Figure 1 shows the disk partitioning options available on the latest edition of Calamares. The program has no default method.
Disk Encryption in Calamares in Standalone Mode
With the Replace a partition option, you can select a free portion of the disk that you wish to install the Linux distribution on, or an occupied partition that you wish to erase. The installer will auto-partition it for you. It will also encrypt it if you select the Encrypt system option.
If your choice is the Erase disk option, then selected Encrypt system, the installer will erase and encrypt the whole disk.
At the next screen, after selecting one of the previous options, the installer will display the partitions that will be encrypted. All partitions, including the swap partition, are encrypted.
After installation and reboot, you’ll be prompted for the encryption passphrase before the GRUB boot menu is displayed. As shown in Figure 5, the system is asking for a passphrase to decrypt hd0,msdos1. That’s the first partition of an MBR-partitioned disk. And this is when you get to experience the benefit of disk encryption. The system will not boot if the correct encryption passphrase is not specified. So if another party gains unauthorized, physical access to the computer while it’s not turned on, you can be rest assured that the system will not boot. The other side of that, is if you forget the encryption passphrase, same deal happens to you. You won’t be able to brute-force your way in.
This is what happens when the correct disk encryption passphrase is specified – you’re presented with the GRUB boot menu. Now you may boot into your favorite Linux distribution.
Disk Encryption in Calamares When Dual-booting with Windows 10
Setting up a dual-boot system using a Linux distribution that uses Calamares and Windows 10 with the Linux side encrypted is just as easy in standalone mode. The recommended approach to that is to select the Manual partitioning option.
This and the next two images show how to create an encrypted custom set of partitions using the installer’s partition editor. In Figure 8, the root partition is encrypted. To encrypt any partition, simply select the Encrypt option, then specify and confirm the encryption passphrase.
Same was done when creating the partition mounted at /home.
And for the swap partition too. It is very important that you encrypt all partitions, except for a partition mounted at /boot or /boot/efi. Also use the same encryption passphrase for each.
At the installer’s manual disk partitioning window, the partitions marked for encryption will have LUKS in the File System column.
After a successful installation and reboot, you’ll be prompted for the encryption passphrase before the GRUB boot menu is displayed. In this image, notice that the system is asking for a passphrase to decrypt hd0 gpt5. That corresponds to the root partition of the Linux side of the business. Contrast that with the situation in Figure 5, during a standalone mode setup.
Note that on the test system I used for this article, if the GRUB Boot Manager is the default boot manager, I had no problem booting into either operating system. However, when I set the default boot manager to Windows (10) Boot Manager, the system will not boot. What I got instead, is shown in Figure 13. Not sure why, but that’s how it worked on mine. If your experience is different, post a comment.
And that’s how you can encrypt your Linux installation if the distribution uses the Calamares graphical installer – in standalone and dual-boot mode.