Ubuntu – How to install Ubuntu encrypted with LUKS with dual-boot


The Ubuntu installation disk has an option to install Ubuntu encrypted using LUKS. However, there is no option to perform an encrypted installation along-side existing partitions for a dual-boot scenario.

How can I install Ubuntu encrypted alongside another partition from the live disk?

Best Answer

First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.

This answer has been tested with Ubuntu 13.04.

  1. Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".

  2. Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot (in my example this is /dev/sda4).

    In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1 and /dev/sda5, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3 and an ext3 partition in /dev/sda4, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:

    GParted screenshot

  3. Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and cryptcherries with a name of your choice.

    sudo cryptsetup luksFormat /dev/sda3
    sudo cryptsetup luksOpen /dev/sda3 cryptcherries
  4. Warning: You'll notice that the luksFormat step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use the pv command to monitor the progress:

    ### Only for older releases, e.g. not for 19.04, `pv` is not included in the repo must be added first
    # sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
    # sudo apt-get update
    sudo apt-get install -y pv
    sudo sh -c 'exec pv -tprebB 16m /dev/zero >"$1"' _ /dev/mapper/cryptcherries

    or, if you're doing an offline install and can't easily get pv:

    sudo dd if=/dev/zero of=/dev/mapper/cryptcherries bs=16M
  5. Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. vgcherries is the name of the volume group, and lvcherriesroot and lvcherriesswap are the names of the logical volumes, you can choose your own.

    sudo pvcreate /dev/mapper/cryptcherries
    sudo vgcreate vgcherries /dev/mapper/cryptcherries
    sudo lvcreate -n lvcherriesroot -L 7.5g vgcherries
    sudo lvcreate -n lvcherriesswap -L 1g vgcherries
  6. Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)

    sudo mkfs.ext4 /dev/mapper/vgcherries-lvcherriesroot
    sudo mkswap /dev/mapper/vgcherries-lvcherriesswap
  7. Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign / to /dev/mapper/vgcherries-lvcherriesroot and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

  8. Once the graphical installer is finished, select "continue testing" and open a terminal.

  9. Find the UUID of the LUKS partitions (/dev/sda3 in this case), you will need it later:

    $ sudo blkid /dev/sda3
    /dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS"
  10. Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:

    sudo mount /dev/mapper/vgcherries-lvcherriesroot /mnt
    sudo mount /dev/sda4 /mnt/boot
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt
    > mount -t proc proc /proc
    > mount -t sysfs sys /sys
    > mount -t devpts devpts /dev/pts
  11. Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries with the name of the volume group:

    # <target name> <source device> <key file> <options>
    cryptcherries UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=vgcherries
  12. Run the following command in the chrooted environment:

    update-initramfs -k all -c
  13. Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.

  14. Check that you're using the encrypted partition for / by running mount:

    $ mount
    /dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
    /dev/sda4 on /boot type ext3 (rw)
    # rest of output cut for brevity
  15. Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:

    $ swapon -s
    Filename                              Type      Size   Used Priority
    /dev/mapper/vgcherries-lvcherriesswap partition 630780 0    -1
  16. Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)

  17. Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.

Related Question