The EFI System Partition (ESP; what Ubuntu and you refer to as an "EFI boot partition") is not exactly the same as a Linux /boot
partition. The ESP holds EFI boot loaders and associated files. The /boot
directory (or partition, if it's a separate partition) holds the Linux kernel. I'm not a LUKS expert, but presumably the Linux kernel is kept outside of LUKS because that enables the boot loader to read it without having to understand LUKS encryption. In your configuration, /boot
is encrypted, so the boot loader would need to understand encryption in order to work. That could be why it's failed.
In other words, try again, but this time, do create a separate /boot
partition in addition to the ESP.
This is impossible since if the boot volume is encrypted the BIOS / UEFI will be unable to execute the boot sector / boot application.
What you can do though is use the Ubuntu Live Installer to install Ubuntu onto another USB stick as the system disk, with LUKS encryption. The drawback will be that you lose the ability to hibernate because Ubiquity currently creates much too small swap partitions, and also randomizes the encryption key at every start, which obliterates the state of the swap partition.
In the second scenario you will have the boot partition unencrypted, so it can still be tampered with, ie a keylogger could be written into it. You can get around that by signing the boot volume and using Secure Boot, but then you have to talk Microsoft into signing your boot volume or giving you a signing key. Good luck with that.
If you really are worried about keyloggers, then carry your own PC, do not use wireless keyboard/mouse, enable secure boot, boot a LiveCD image which doesn't preserve any state whatsoever, use a VPN to connect a VNC/RDP client over SSL to the machine you actually keep your state with, use a strong, memorable password that you never record anywhere (see https://xkcd.com/936/ for an understanding of what this means.)
That will protect you from physical access, it will protect you from remote access, and it will save you from brute-force. It will be inconvenient since you won't always have network access, you will always have to carry the hardware with you, and you will not be able to get good value from the hardware you are carrying since you're only using it as a thin client, disregarding its additional memory / processing / storage capabilities.
Even all of this won't protect you from a CCTV camera locked on your keyboard while you type, so you will also need to be aware of your surroundings.
It may also run you up a significant mobile data bill.
So unless you really are a very exceptionally fat, juicy target that's likely to be targeted by people who are prepared to invest the resources to hack you, I think you're better off just avoiding using public internet terminals, carrying your own inexpensive device, securing it with LUKS, using a VPN or at least TORBrowser to guarantee your browsing isn't being spied on. Then your biggest worry should be whether you leave your device somewhere and it gets stolen, but no worry over whether they have access to your data.
Best Answer
LUKS or Full Encryption Options in the Installer
Install to USB as you would to HDD. It is recommended that you remove the HDD before proceeding, especially in UEFI mode.
They have done a good job of hiding encryption options in the Live installer. It is located on the install page, just above Something else.
Tag "Erase disk and install Ubuntu" and then click "Advanced features". The Advanced Features popup will popup. Click "Use LVM with the new Ubuntu installation" and then "Encrypt the new Ubuntu installation for security".
Booting in BIOS/UEFI Modes
A USB created with the above method will only boot in the BIOS/UEFI mode it is created in. For a USB that Boots in either mode:
Copy grub.cfg from Partition 5 /boot/grub/ to Partition 1 /boot/grub/ overwriting the existing grub.cfg file.
Re-Install GRUB:
sudo mount /dev/sdb1 /mnt
sudo grub-install --boot-directory=/mnt/boot /dev/sdb
Encrypted Full install USB should now be working in BIOS and UEFI modes.
If you want an encrypted USB drive that will boot in either BIOS or UEFI mode see: How to Make BIOS/UEFI Flash Drive with Full Disk Encryption