Linux dual boot on Mac with Full Disk Encryption

Disclaimer

Everything you’ll read in this post is based on my personal experience. I can’t guarantee that any of that works on your machine. Please understand that there’s still the (small) possibility that you brick your Mac.

Apple does not support this setup - so you act ON YOUR OWN RISK!!!

Why?

Why Linux on a Mac?

I really love OS X. But I also hate it. The golden walled garden is sometimes really getting in the way.

In terms of security OS X is not bad, but I don’t trust proprietary software entirely. The history of backdoors is just too long.

And I don’t want to buy PC hardware. IMHO there’s nothing in the PC world that compares to a Retina Macbook Pro.

Why this blog post?

Because there are lots of pitfalls in setting up a mac with full disk encryption in both operating systems likewise. I wrote this post to make it easier for others to set it up.

Full Disk Encryption for OSX and Linux

I personally encrypt every hard drive that I can get ahold of. This makes the setup a little harder but with this post you should be able to get on top of it.

The official documentation of Refind tells you to install the bootloader to the ESP when using OSX WDE. “Some people” they say, experince a 30 second boot delay with Refind on ESP.

I got the 30 second delay before loading refind on every single Mac with WDE. The OSX Volume is also not an option, because at bootloader time it’s encrypted and therefore not readable.

Since Refind 0.7.6 there’s an option to prepare a separate fake-osx system partition for refind. I’ll use that to get rid of the 30 second delay.

Setup Blueprint

  • BIOS: Apple EFI
  • Bootloader: Refind 0.7.7 (get it here)
  • First OS: Mac OSX Whole Disk Encryption via FileVault2
  • Second OS: Arch Linux (Full Disk Encryption via LVM on LUKS)

This should work with other linux systems too, but please make sure that your kernel has EFISTUB enabled.

Step by Step Guide

Decrypting the OS X partition

I’m assuming you already have an encrypted OSX Partition. If not, skip this step.

In order to resize the partition you have to decrypt it first. The OSX Disk Utility refuses to resize encrypted disks.

# Open the OSX Preferences
# Click on: Security & Pivacy
# Click on: FileVault
# Turn off FileVault

The decryption process might take a while depending on your disk size.

Resizing the OSX partition

Use the OSX Disk Utility to resize your OSX partition:

# Open OSX Disk Utility
# Choose the disk on the left (not the partition)
# Go to the partition tab
# Use the little drag handle in the partition illustration to resize it to your needs
# Click apply

This may also take a while since OS X may need to move some data.

Enrypting the OS X partition

Now we can re-encrypt the OS X partition again:

# Open the OSX Preferences
# Security & Pivacy
# FileVault
# Turn on FileVault

Again the encryption process may take a while.

Boot Arch Linux installation medium

EFI Boot your Arch CD or USB Stick.

Some Macs might need the nomodeset kernel boot option to boot from the install disk with the open source graphics drivers.

Linux Partitioning

Please make sure that the Disk encryption completed and you rebooted the Mac. Since the Mac is using GPT partition tables we have to use cgdisk instead of cfdisk. The usage is identical.

I read a statement somewhere that you should leave 128 MB space between the OS X crypt stuff and the other partitions. You can do that by typing “+128M” when you’re asked for the first sector of your “refind” partition. I forgot to do it on two machines and it never caused any problems, so it’s up to you if you believe that statement.

$ cgdisk /dev/sda
# Create a 64 MB partition labled "refind" - Partition Type: af00
# Create a 256 MB partition labled "boot" (If you just use one kernel that's more than enough) - Partition Type: 8300
# Use the rest as big LVM partition - Partition Type: 8e00
# Don't change anything on the OS X partitions, you may destroy the data on them!
# Write the new partition table to disk and quit cgdisk

Linux LUKS and LVM Setup

Create the LUKS partition first and place the LVM on top of it.

If you need more details on the encryption settings or LUKS on LVM (which is also possible) look at the archlinux wiki. Their documentation is nearly perfect.

# initialize the crypto volume (the lvm partition - yours may have a different devicename)
$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda6
# open the crypto drive
$ cryptsetup open --type luks /dev/sda6 lvm

The cryptdevice is now done.

Setup lvm now (the names are up to you):

$ pvcreate /dev/mapper/lvm
$ vgcreate vgcrypt /dev/mapper/lvm
$ lvcreate -L 8G vgcrypt -n cryptswap
$ lvcreate -l 100%FREE vgcrypt -n root

Create as much volumes as you want.

Linux Filesystem Setup

You need to create filesystems on the just created volumes:

$ mkfs -t ext2 /dev/sda5  # This is the linux 265 MB boot volume (yours may have a different name)
$ mkfs -t ext4 /dev/vgcrypt/root
$ mkswap /dev/vgcrypt/cryptswap

Mounting the filesystems:

$ mount /dev/vgcrypt/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda5 /mnt/boot
$ swapon /dev/vgcrypt/cryptswap

Don’t use an unencrypted swap partition. You never know whether the kernel swapped critical data on it or not. If you want a swap partition, encrypt it!

Now proceed with the default Arch linux setup (pacstrap, genfstab, arch-chroot…)

Linux mkinitcpio and kernel parameters

The mkinitcpio.conf needs the following additional hooks:

  • keymap
  • encrypt
  • lvm2
  • shutdown

The order is important!!!

Loading keymap after encrypt will give you a hard time entering your password, if you have a non-US keyboard configured in your keymaps!

/etc/mkinitcpio.conf HOOKS line should look like this:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck shutdown"

Generate your new initramfs with:

$ mkinitcpio -p linux

Refind Config in Linux

The Refind boot manager scans for your kernels and recognizes kernels with default names. But for encryption we need some extra options to boot.

Refind lets you add boot arguments to the scanned kernels with a simple config file:

$ cat /boot/refind_linux.conf
# This manipulates the linux kernel options in the refind boot loader
"Crypt Boot"                 "cryptdevice=/dev/sda6:vgcrypt root=/dev/vgcrypt/root rw"
"Crypt Boot with nomodeset"  "cryptdevice=/dev/sda6:vgcrypt root=/dev/vgcrypt/root rw nomodeset"
"Crypt Boot Text Mode"       "cryptdevice=/dev/sda6:vgcrypt root=/dev/vgcrypt/root rw systemd.unit=multi-user.target"
  • The first entry is used as default.
  • The second one is for me, when I f*** up my graphics card driver, to get a “rescue mode”
  • The third is for booting into text mode with sytemd

The important parameters explained:

  • cryptdevice=/dev/sda6:vgcrypt <= Tells the kernel to use /dev/sda6 as a crypt device and to initialize the volume group “vgcrypt” on it
  • root=/dev/vgcrypt/root <= Sets the root device as you might expect

At this point you’re done with the linux setup.

Reboot into OS X again.

Refind Boot Manager Setup in OS X

Back in OS X, the refind setup can begin.

First you need to create a HFS+ Filesystem on our 64 MB refind volume.

# Open OSX Disk Utility
# Choose the 64 MB partition from the partition list. "disk0s4" in my setup
# Klick on the "erase" tab.
# Choose the "HFS+" Filesystem
# Name the volume "refind" and create the filesystem on it

Download the newest refind und unpack it.

$ cd <unpacked_refind_folder>
$ ./install --alldrivers --ownhfs /dev/disk0s4

Shutdown your Mac. The setup should be complete now.

Booting your new Systems

Press and hold the Alt/Option-Key while booting your Mac.

The Apple Bootloader should give you two options:

  • The default Apple OS X entry which will bring you immediately to the crypt-password mask
  • A “REFIND” entry which will start the refind boot loader for linux boots

You should not have a 30 second delay and you should be able to choose the default boot volume in OS X.

I hope everything went well.

Troubleshooting

Once in a different setup, a MacBook crashed while booting and I was stuck. (I still don’t know why it crashed)

The bootloader didn’t start any more. All I was left with was a gray screen and the dvd tray sound. Not even the Apple chime.

After a NVRAM/PRAM reset, I was able to boot into OS X again and reinstall refind.

If anything goes horribly wrong, try resetting PRAM first before getting an heart attack.