As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption (on a system that already has Windows installed). Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you do it wrong. The following steps worked on a new Windows-10 laptop.
Boot into Windows. From the start menu, run 'disk management' and shrink the Windows C: partition in order to get at least 20 GB of free space.
Boot the live USB image for Ubuntu or Mint. From a terminal, type
sudo -s for a root shell and start
gparted & to create two partitions:
Remember the partition names, which could be something like
You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes.
Paste this into the root shell (replace
/dev/null by the correct devices from the previous step):
export pvname=decryp_pv export vgname=decrypvg export boot_part=/dev/null export crypt_part=/dev/null
The following command will create an encrypted volume. Remove the
echo command once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password. I'd suggest that you pick a password or passphrase that can be entered on a plain Qwerty keyboard.
echo cryptsetup luksFormat $crypt_part
Open the new encrypted volume:
cryptsetup luksOpen $crypt_part $pvname
Create a physical volume. Dangerous! It will do this without asking for confirmation. Double-check the volume name before removing
echo pvcreate /dev/mapper/$pvname
Now create the volumes:
vgcreate $vgname /dev/mapper/$pvname lvcreate -L 4G -n swap $vgname lvcreate -L 24G -n root $vgname lvcreate -l 100%FREE -n home $vgname
Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also AskUbuntu: How much swap.) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux without a lengthy restore process.
Start the installer from the USB live image and select “something else”. The logical volumes should be recognized; mark them correctly (mount points / for root and /home for home, format as ext4). The boot device should probably be the system FI partition rather than 'dm-1' (decrypted device).
When the installation has finished, *do not reboot yet*.
Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables
crypt_part again. You can also boot again from the live image and start a new shell again.
First, re-open the encrypted volume (necessary after a reboot):
cryptsetup luksOpen $crypt_part $pvname
Check that it worked:
This should list something like this:
/dev/mapper/decryp_pv: UUID="AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56" TYPE="LVM2_member" /dev/mapper/decrypvg-root: UUID="54209aad-aaa2-4c9c-b871-437621ef4abf" TYPE="ext4" /dev/mapper/decrypvg-swap: UUID="66e8ea45-3b91-4052-ba62-bf87fa4a2f5c" TYPE="swap" /dev/mapper/decrypvg-home: UUID="3d1c14cf-1d41-42c0-957c-3c2d8301378d" TYPE="ext4" /dev/nvme0n1p5: UUID="15eb474f-a144-442a-9f6f-c2d5801b6f32" TYPE="ext4" PARTUUID="8adb0584-4773-47d5-9fd4-dde326602fcb" /dev/nvme0n1p6: UUID="84dc6495-1b73-4f10-adf9-b2ea9b8ee381" TYPE="crypto_LUKS" PARTUUID="6bc89a1e-a017-455a-92f1-92ed52d1404fa"
Now enter the following command, but replace the part within the quotes by the appropriate UUIDs:
For the example above, you'd use
84dc6495-1b73-4f10-adf9-b2ea9b8ee381. Make sure that there are no extra spaces. Then, mount the root and boot directories:
cd / mkdir /t mount /dev/mapper/$vgname-root t mount $boot_part t/boot mount -t proc proc t/proc mount -t sysfs sys t/sys mount -o bind /dev t/dev chroot t
You are now in the filesystem of the newly installed Linux system. Setup crypttab:
echo "$pvname UUID=$uuid_part none luks,tries=10,discard" > /etc/crypttab cat /etc/crypttab
(If you're really paranoid, remove the
discard option.) The output should look similar to this:
decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,tries=10,discard
Setup the boot ramdisk image:
fni=/etc/initramfs-tools/conf.d/cryptroot echo "CRYPTROOT=target=$pvname,source=/dev/disk/by-uuid/$uuid_part" > $fni echo "-- $fni --"; cat $fni; echo "---" update-initramfs -k all -c
And the Grub boot menu. The empty
LINUX_DEFAULT value will cause your system to boot in text mode so that you can see what's going on and possibly why it is not booting.
fng=/etc/default/grub.d/51_customized.cfg cat << EOF > $fng # REMOVED: quiet splash GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="cryptopts=target=$pvname,source=/dev/disk/by-uuid/$uuid_part,lvm=$vgname" EOF echo "-- $fng --"; cat $fng; echo "---" update-grub
update-grub command may give a few warnings about the boot device of the USB live image, which can be ignored.
Leave the chroot environment
umount /t/boot umount /t/proc umount /t/sys umount /t/dev umount /t swapoff -a vgchange -a n /dev/mapper/$vgname cryptsetup close /dev/mapper/$pvname
Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation, you'll get a “MOK” screen for this reboot only.