Ubuntu – How to Make BIOS/UEFI Flash Drive with Full Disk Encryption

BIOS/UEFI Flash Drive with Full Disk Encryption (18.04)

I have been playing with Paddy Landau's Manual Full System Encryption: https://ubuntuforums.org/showthread.php?t=2399092

Out of the box the script works UEFI only.

With a mkusb base, almost anything BIOS/UEFI is possible.

• Start with a default mkusb Live install to flash drive (4GB or larger).

• Next create a mkusb Persistent install to flash drive using defaults (16GB or larger).

• As soon as mkusb finishes with the persistent install, open gparted and delete sdx4 and sdx5.

• Refer to https://help.ubuntu.com/community/ManualFullSystemEncryption.

• Follow Item 6.4-Detailed process: https://help.ubuntu.com/community/ManualFullSystemEncryption/DetailedProcess.

• Complete Item 4.2.1 Creating new partitions sdx4-system, sdx5-swap* and sdx6-data*.

• Boot the Live USB in UEFI mode.

• Complete Item 4.2.2-Prepare for the Installer, and start the installer.

• Run the installer per item 4.2.3-Install Ubuntu.

At this point the flash drive will be UEFI only.

• Now mount the ESP boot partition and copy ESP/EFI/ubuntu/grub/grub.cfg and overwrite ESP/boot/grub/grub.cfg.

Your Bootable flash drive will now have encrypted system, home and swap files and will boot either BIOS or UEFI.

Notes:

• *Separate home, swap and NTFS partitions are optional.
• Many people recommend against using swap with a bootable USB or SSD for fear of wear.
• The swap partition, if used, can be encrypted using ecryptfs-utils.
• The NTFS partition, if used, can be encrypted using VeraCrypt so that it can be used in both Linux and Windows.
• If there are problems reusing the installer drive on a second encrypted install, confirm /mnt/root/ has been deleted and that the correct UUID for sdx3 has been used in fstab.
• GParted on the encrypted drive may not work.