Of course, you’ll have to download LMDE and write it to a USB drive. Follow the documentation on how to do that, then boot from it and return to this guide.

After booting into the LMDE live installation media, you should open a terminal and run:

sudo live-installer-expert-mode

Now go through the GUI setup as you normally would, until you reach the part “Installation Type”, then choose “Manual Partitioning” and click “Next”.

You should now see a button “Expert mode” on the bottom left, use that.

You should now open a new Terminal tab and enter sudo -i to become root, then run lsblk -o +FSTYPE to get an overview of your available disks.

A note on old MacBooks

Note, if you’re trying to install this on an old MacBook like I’m doing, and can’t see the internal drive, try adding intel_iommu=off to the kernel arguments. You can do that by rebooting, and at the boot menu where you’d choose LMDE, you enter “e” to edit. Then replace “quiet splash” with “intel_iommu=off“, then hit F10 to boot. It did the trick for me.

Wiping existing partitions

Now back to the setup, figure out what disk you want to install to. In my case, it’s /dev/sda. Please keep in mind in this guide we’ll be doing a completely fresh install, wiping everything, back in your terminal (root) tab, we’ll be doing the following:

gdisk /dev/sda
  • Press o to wipe everything and confirm
  • Press n and hit enter 3 times until asked for “last sector”, type +200M and hit enter, then when asked for hex code enter ef00, this will be the ESP (UEFI partition)
  • Repeat the previous step, but this time type +1G and use the hex code 8300, this will be the boot partition
  • Now this step is optional, it depends on whether you want a swap partition or not. Don’t worry, it will be encrypted. In my case, I want one and will repeat the previous step but with +5G, and the same hex code.
  • Now, we finally create the big partition for dm-crypt (LUKS), type “n” and hit enter 4 times until you can choose a hex code. Choose 8309 and hit enter.
  • Finally, we enter “w” to write the changes. This will wipe everything! So, confirm at your own discretion.

Now type lsblk -o +FSTYPE again to see our changes. In my case, I still see “apfs” in some partition. So, I will wipe each partition’s metadata to be safe:

wipefs -a /dev/sda1
wipefs -a /dev/sda2
wipefs -a /dev/sda3
wipefs -a /dev/sda4

Now that everything is truly clean, let’s start formatting things!

Formatting the new partitions

We want to create the ESP (UEFI partition) first:

mkfs.vfat -c -F32 -n ESP /dev/sda1

Now we’ll create the boot partition:

mkfs.ext4 -L boot /dev/sda2

Then we create a dummy filesystem for the encrypted swap, this is so that we can have a label and filesystem UUID to refer to later, which is a safer way to address the partition:

mkfs.ext2 -L cryptswap /dev/sda3 1M

Finally, we format the big LUKS partition and put Btrfs inside it:

cryptsetup luksFormat /dev/sda4

Now type YES to confirm the wipe, and enter your new passphrase twice. Then unlock the partition and follow these steps:

cryptsetup open /dev/sda4 btrfs
# enter passphrase to continue

mkfs.btrfs /dev/mapper/btrfs
mount /dev/mapper/btrfs /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt
mkdir -p /target
mount /dev/mapper/btrfs -o subvol=@,compress=zstd /target
mkdir -p /target/home
mount /dev/mapper/btrfs -o subvol=@home,compress=zstd /target/home
mkdir -p /target/boot
mount /dev/sda2 /target/boot
mkdir -p /target/boot/efi
mount /dev/sda1 /target/boot/efi

Installing the OS

Now that we have created and mounted all the partitions, we go back to the GUI and hit next. Choose to install the GRUB boot menu on /dev/sda, hit next, verify everything seems correct and proceed to installing.

Make yourself a cup of coffee, maybe have a snack, too.

After the main installation is complete, you’ll get an “Installation Paused” screen. Hit OK and read the instructions.

Now make sure you have internet because we’ll want to run the following commands:

apt update
apt install arch-install-scripts

After we successfully installed the package, we can now run:

genfstab -U /target > /target/etc/fstab

Now we’ll have to edit /target/etc/crypttab so that our encrypted partitions will mount at boot.

First we’ll do:

lsblk -o +label,fstype,UUID

Now look for the UUID next to the partition of the FSTYPE crypto_luks and copy it.

nano /target/etc/crypttab

And do something along the lines of:

btrfs    UUID=xxxxxxxxxx    none
swap     LABEL=cryptswap  /dev/urandom  swap,offset=2048,cipher=aes-xts-plain64,size=512

You’ll want to replace it with your UUID, of course, then hit ctrl+s and ctrl+x to save and exit.

Now, we want to edit /target/etc/fstab to add our new swap, by adding that line:

/dev/mapper/swap  none   swap    defaults   0       0

Again, hit ctrl+s and then ctrl+x to save and exit.

Now go back to the GUI installer and hit “next”, you should see it setting the locale and installing the bootloader and other finishing touches.

When asked to reboot, say yes and pray to the gods that it will run. But if you followed my guide carefully, it should!

Permanently fix MacBook quirk

Note, if you needed intel_iommu=off for it to install, you’ll have to set it again. We’ll fix it permanently in the next step after booting into the system:

sudo nano /etc/default/grub

And look for the lines that say GRUB_CMD_LINUX and GRUB_CMD_LINUX_DEFAULT and append intel_iommu=off (within the quotes). Then ctrl+s and ctrl+x.

Now finally run:

sudo update-grub
sudo update-grub2

Reboot, and it should work now, even on the old MacBooks.

Final notes

It may seem daunting, but once complete, you have a decently working and lightweight Linux desktop with proper encryption and subvolumes set up.

I generally recommend install the elementary-icon-theme and arc-theme for a nicer desktop, but this boils down to taste, of course. I also recommend replacing the default “start menu” with “CinnVIIStarkMenu” which you can get by right-clicking on the “task bar” (panel) and choosing “applets” and then the “download” tab.

I write these articles in my spare time, and they can take hours to compose, if I helped you out, consider donating a cup of coffee! <3