Install Slackware Linux with Full Disk Ecryption on a UEFI system

       683 words, 4 minutes

On some previous post, I installed Slackware Linux on a ThinkPad T460s . This was my first time back on Slackware for a long time and, after reading and experimenting, it seems to me that there is a better / smarter / simpler way to install Slackware using FDE on an UEFI system.

There seem to be a very cleavage point when adressing the need to encrypt the /boot partition. Long story short, keeping /boot unencrypted lets your computer opened to various attacks. I looked at how various distributions were configuring FDE. And it seems this point is half religious and half a software issue ; mostly around what Grub can or can’t do. Distributions like Fedora or Linux Mint configure FDE while keeping /boot unencrypted. Arch Linux documents three or four ways to achieve FDE ; some with, some without encrypted /boot. Pop!OS and Manjaro offer a complete encrypted system ; although using different bootloaders.

Slackware documentation concentrates on using LILO on MBR system. Booting an UEFI system requires either ELILO or Grub. There later not being the most documented choice, to my tastes, I went for using ELILO and encrypt as much FS as possible. So the big picture goes like this:

You may proceed to Slackware installation via SSH . I find this very convenient as this allows easy copy-paste commands. All the commands can be copy-pasted as follow in a shell. BEWARE TO REVIEW THE COMMANDS BEFORE EXECUTING THEM. I shall not be held responsible if your screw up your computer ;-)

Setup variables to describe disk device, partitions ids and size.



dd if=/dev/urandom of=/dev/$DISK bs=10M

Create the EFI and Linux partitions. Format the EFI one.

# Create GPT disklabel
echo -e "g\nw\nq" | fdisk /dev/$DISK
sleep 2
# Create EFI System partition
echo -e "n\n1\n\n+64M\nt\n1\nw\nq" | fdisk /dev/$DISK
sleep 2
# Create LUKS/LVM partition
echo -e "n\n2\n\n\nt\n2\n30\nw\nq\n" | fdisk /dev/$DISK

mkfs.vfat /dev/$PART_EFI

The sleep commands may not be required. They just proved to be required when testing in Virtualbox test instances.

Create the LUKS encrypted partition and open it.

cryptsetup -y luksFormat /dev/$PART_LUKS
cryptsetup luksOpen /dev/$PART_LUKS tatooine

Create the LVM partitions.

vgcreate slacker /dev/mapper/tatooine
lvcreate -L ${LV_SWAP} -n swap slacker
lvcreate -L ${LV_ROOT} -n root slacker
lvcreate -l ${LV_HOME} -n home slacker

My personnal choices are to separate system from home directory. I also include /boot into /. Using ELILO, we don’t really use it to boot.

Prepare the swap partition and run the installer.

mkswap /dev/slacker/swap


Nothing special here except the trick to correct EFI when installing Slackware from a USB stick. See here .

Once installation is finished, choose to Exit Slackware Linux Setup but there are required changes so DO NOT (R)eboot but exit to (S)hell.

Copy the EFI files from USB to /boot/efi/... and apply changes to /mnt/etc/fstab ; if required.

Switch to the installed system using chroot.

chroot /mnt

Build a proper / custom initrd image. My usage includes a French keyboard layout, hibernation on encrypted swap and USB keyboard support.

$(/usr/share/mkinitrd/ -r \
  -a "-l fr -h /dev/slacker/swap" -m "uhci-hcd:usbhid")
/boot/initrd.gz created.
Be sure to run lilo again if you use it.

ELILO should already be installed. If it was not, you may run elilo now. On kernel upgrades, your will have to run the mkinitrd command again, specifying the new kernel version. Then, you shall copy both the kernel and initrd files. Something like this:

$(/usr/share/mkinitrd/ -r -k 5.15.80 \
  -a "-l fr -h /dev/slacker/swap" -m "uhci-hcd:usbhid")

cp -pHv /boot/{initrd.gz,vmlinuz} /boot/efi/EFI/Slackware/

As stated in the documenation, elilo.conf should be amended to allow hibernation on swap. Mine looks like this:

# cat /boot/efi/EFI/Slackware/elilo.conf
	append="root=/dev/slacker/root vga=normal ro resume=/dev/slacker/swap"

Reboot can now be proceeded.


ELILO will boot straight away. The booting process will ask for the encryption passphrase and continue to the Linux | Xorg console.

Now is time to get some slack.