The Ubuntu installation disk has an option to install Ubuntu encrypted using LUKS. However, there is no option to perform an encrypted installation along-side existing partitions for a dual-boot scenario.
How can I install Ubuntu encrypted alongside another partition from the live disk?
Best Answer
First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.
This answer has been tested with Ubuntu 13.04.
Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".
Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is
/dev/sda3
. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to/boot
(in my example this is/dev/sda4
).In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions:
/dev/sda1
and/dev/sda5
, highlight in the circle to the left. I have created an unformatted partition in/dev/sda3
and an ext3 partition in/dev/sda4
, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:Create a LUKS container using these commands. Replace
/dev/sda3
with the unformatted partition created earlier, andcryptcherries
with a name of your choice.Warning: You'll notice that the
luksFormat
step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use thepv
command to monitor the progress:or, if you're doing an offline install and can't easily get
pv
:Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at
/
, and the second one will be used as swap.vgcherries
is the name of the volume group, andlvcherriesroot
andlvcherriesswap
are the names of the logical volumes, you can choose your own.Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)
Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign
/
to/dev/mapper/vgcherries-lvcherriesroot
and/boot
to the unencrypted partition created in step 2 (in this example,/dev/sda4
).Once the graphical installer is finished, select "continue testing" and open a terminal.
Find the UUID of the LUKS partitions (
/dev/sda3
in this case), you will need it later:Mount the appropriate devices to the appropriate locations in
/mnt
, and chroot into it:Create a file named
/etc/crypttab
in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, andvgcherries
with the name of the volume group:Run the following command in the chrooted environment:
Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.
Check that you're using the encrypted partition for
/
by runningmount
:Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:
Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)
Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.