LUKS or Full Encryption Options in the Installer
Install to USB as you would to HDD. It is recommended that you remove the HDD before proceeding, especially in UEFI mode.
They have done a good job of hiding encryption options in the Live installer. It is located on the install page, just above Something else.
Tag "Erase disk and install Ubuntu" and then click "Advanced features". The Advanced Features popup will popup. Click "Use LVM with the new Ubuntu installation" and then "Encrypt the new Ubuntu installation for security".
Booting in BIOS/UEFI Modes
A USB created with the above method will only boot in the BIOS/UEFI mode it is created in. For a USB that Boots in either mode:
- When Install is complete, open the 20.04 ISO file and copy boot and ESP folders to partition 1.
Copy grub.cfg from Partition 5 /boot/grub/ to Partition 1 /boot/grub/ overwriting the existing grub.cfg file.
Re-Install GRUB:
sudo mount /dev/sdb1 /mnt
sudo grub-install --boot-directory=/mnt/boot /dev/sdb
Encrypted Full install USB should now be working in BIOS and UEFI modes.
If you want an encrypted USB drive that will boot in either BIOS or UEFI mode see: How to Make BIOS/UEFI Flash Drive with Full Disk Encryption
EDIT: I misread the original question, but everything still applies. Using /dev/mmcblk0p2 below is for installing to the microSD card. To install to an external SSD/HD the device will likely be /dev/sda2. Use the appropriate device when editing cmdline.txt, crypttab, and booting for the first time via (initramfs).
The latest Ubuntu image includes cryptsetup, so you can convert the "writeable" (root) partition to LUKS using your desktop PC. I began with the 20.10 64-bit Server image.
Prepare your SD card but do not install into the RPi. Keep it on your desktop PC.
Unmount the SD card (/dev/sdc2 is my "writeable" (root) partition - yours may be different).
sudo umount /dev/sdc2
Check the partition... sudo e2fsck -f /dev/sdc2
Shrink the partition... sudo resize2fs -M /dev/sdc2
Encrypt the partition (RPi does not have hardware AES support, Adiantum seems to perform better)...
sudo cryptsetup-reencrypt --new --reduce-device-size=16M --type=luks2 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/sdc2
Decrypt the LUKS partition... sudo cryptsetup luksOpen /dev/sdc2 rootfs
Expand the partition... sudo resize2fs /dev/mapper/rootfs
Mount the partition... sudo mkdir mnt; sudo mount /dev/mapper/rootfs mnt;
Edit etc/crypttab... sudo vim mnt/etc/crypttab
- Add
rootfs /dev/mmcblk0p2 none luks
Edit etc/fstab... sudo vim mnt/etc/fstab
- Change the first line to
/dev/mapper/rootfs / ext4 defaults,noatime 0 0
On the system-boot partition, edit cmdline.txt...
- change
root=LABEL=writable to root=/dev/mapper/rootfs
- remove
splash (so it prompts for the passphrase on boot)
- add
cryptdevice=/dev/mmcblk0p2:sdcard to the end of the line
It should look like this...
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/rootfs rootfstype=ext4 elevator=deadline rootwait fixrtc quiet cryptdevice=/dev/mmcblk0p2:sdcard
Unmount the microSD card and install into the Raspberry Pi. It will fail to boot and enter (initramfs) because initramfs hasn't been updated yet.
Manually decrypt from initramfs... (initramfs) cryptsetup luksOpen /dev/mmcblk0p2 rootfs
Continue booting... (initramfs) exit
Login (ubuntu/ubuntu) and update initramfs... sudo update-initramfs -u
Reboot... sudo reboot
It should reboot, prompt for the passphrase, then start the OS.
Best Answer
This is impossible since if the boot volume is encrypted the BIOS / UEFI will be unable to execute the boot sector / boot application.
What you can do though is use the Ubuntu Live Installer to install Ubuntu onto another USB stick as the system disk, with LUKS encryption. The drawback will be that you lose the ability to hibernate because Ubiquity currently creates much too small swap partitions, and also randomizes the encryption key at every start, which obliterates the state of the swap partition.
In the second scenario you will have the boot partition unencrypted, so it can still be tampered with, ie a keylogger could be written into it. You can get around that by signing the boot volume and using Secure Boot, but then you have to talk Microsoft into signing your boot volume or giving you a signing key. Good luck with that.
If you really are worried about keyloggers, then carry your own PC, do not use wireless keyboard/mouse, enable secure boot, boot a LiveCD image which doesn't preserve any state whatsoever, use a VPN to connect a VNC/RDP client over SSL to the machine you actually keep your state with, use a strong, memorable password that you never record anywhere (see https://xkcd.com/936/ for an understanding of what this means.)
That will protect you from physical access, it will protect you from remote access, and it will save you from brute-force. It will be inconvenient since you won't always have network access, you will always have to carry the hardware with you, and you will not be able to get good value from the hardware you are carrying since you're only using it as a thin client, disregarding its additional memory / processing / storage capabilities.
Even all of this won't protect you from a CCTV camera locked on your keyboard while you type, so you will also need to be aware of your surroundings.
It may also run you up a significant mobile data bill.
So unless you really are a very exceptionally fat, juicy target that's likely to be targeted by people who are prepared to invest the resources to hack you, I think you're better off just avoiding using public internet terminals, carrying your own inexpensive device, securing it with LUKS, using a VPN or at least TORBrowser to guarantee your browsing isn't being spied on. Then your biggest worry should be whether you leave your device somewhere and it gets stolen, but no worry over whether they have access to your data.