I'm going to be doing a fresh install of Ubuntu 18.04 on my System76 laptop that currently has one SSD drive installed.
Soon I'll be installing a second SSD on the same laptop that will have Windows 8.1 installed.
I will use Ubuntu 85% of the time. However, I want the Windows install to have easy access (read and write) to my data files (docs, spreadsheets, pics, vids, pdfs).
On the 18.04 install I thought of using the Ubuntu installer default partition set-up with encryption + the addition of an NTFS partition, which would be the biggest partition; that's where I'd put data files. I also want the NTFS partition encrypted.
2 questions:
- Does this sound like a good approach?
- How will encrypting the NTFS partition with LUKS work? Or does LUKS encrypt the whole drive, not each partition?
Best Answer
Let me answer your questions out of order, first explaining why encrypting your NTFS partition with LUKS is not a good idea.
First, how does LUKS work?
LUKS can be used to encrypt a file (a file container), a partition, or an entire disk. If you let the installer encrypt everything for you, what actually happens is that two partitions are created, a boot partition, and a LUKS encrypted partition that contains the root directories and all of it's subdirectories except for /boot and it's subdirectories. If you use UEFI, there will be a third EFI partition as well. This means you won't be given an option to create the NTFS partition that you want. This inevitably means you will need to use manual partitioning. This is an involved process and is not exactly as straightforward as you might think. I have written two answers elsewhere about LUKS with manual partitioning (with LVM and without LVM). In your case, would not want to put your NTFS partition inside any LVM partitions you might create since Windows would not be able to access the NTFS partition inside an LVM Logical Volume.
To complicate matters further, Windows cannot natively decrypt a LUKS partition, so ultimately, you would have to install another software like LibreCrypt, but as you can see from the comments in that linked answer, LibreCrypt appears to have been abandoned, so that's probably not a good option. Therefore, while it is fine to encrypt your Linux installation with LUKS it is probably not wise to use LUKS to encrypt your NTFS partition that will be shared between the Linux and Windows systems.
What might be a better approach?
The question this leaves us with is how can I encrypt a partition such that both Linux and Windows will be able to decrypt it to access the contained NTFS partition? Once upon a time, I would have recommended TrueCrypt. Of course development on TrueCrypt came to an abrupt halt. So that is no longer an option. Once discontinued, a fork was created known as VeraCrypt and is still maintained. VeraCrypt can be installed on both Windows and Linux, enabling access to any given VeraCrypt encrypted partition from both OSs. Being opensource, the code is available for public review. VeraCrypt may be your best option.
I doubt that VeraCrypt can be used to encrypt your entire Linux system, but I've never tried, so I won't say it's impossible. If I were attempting to set up a dual-boot system as you have described, here's how I would probably go about it...
Install Ubuntu using manual partitioning as I describe here, but create the following physical partitions on your existing disk.
After you have installed Linux, you can install VeraCrypt and encrypt your last partition with VeraCrypt, choosing NTFS as the contained file system.
I'm not going to claim that this process will be easy. If you attempt this, you may run into some frustrating roadblocks at times, but this is probably the easiest way to accomplish what you want to accomplish with existing encryption technologies that are currently maintained as I write this answer.