User Tools

Site Tools


dual_boot_with_encryption_ubuntu_linux_mint

Dual boot with encryption (Ubuntu/Linux Mint)

As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption on a system that already has Windows installed. Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you make a mistake. The following steps worked on a new Windows-10 laptop.

Create partitions

Boot into Windows. From the start menu, run 'disk management' and shrink the Windows C: partition in order to get at least 20 GB of free space. Hold the shift key when you click “reboot” and you'll get the option to boot from a USB device. Otherwise you may never see the “Press F8 to select boot device” prompt.

Boot the live USB image for Ubuntu or Mint. From a terminal, type sudo -s for a root shell and start gparted & to create two partitions:

  1. A boot partition (to be formatted as ext4); at least 300 MB; more if you expect to install a lot of kernel updates without removing the old ones. One kernel update takes about 75 MB.
  2. A second partition, using the rest of the free space. This will be the encrypted partition.

Remember the partition names, which could be something like /dev/nvme0n1p5 or /dev/sdb6.

Setup encrypted volumes

You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes.

Paste this into the root shell (replace /dev/null by the correct device names from the previous step):

export pvname=decryp_pv
export vgname=decrypvg
export boot_part=/dev/null
export crypt_part=/dev/null

The following command will create an encrypted volume. Remove the echo prefix once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password.

echo cryptsetup luksFormat $crypt_part

If you don't (always) use a US Qwerty keyboard layout: be aware that can't be sure about the keyboard localization at boot time. Pick a password or passphrase that will work on either keyboard layout. Alternatively, add a second passphrase that is what you get if you type the same keystrokes on the wrong layout:

cryptsetup luksAddKey $crypt_part # this is optional

Open the new encrypted volume:

cryptsetup luksOpen $crypt_part $pvname

Create a physical volume. Dangerous! It will do this without asking for confirmation. Double-check the volume name before removing echo.

echo pvcreate /dev/mapper/$pvname

Now create the volumes:

vgcreate $vgname /dev/mapper/$pvname
lvcreate -L 4G -n swap $vgname
lvcreate -L 24G -n root $vgname
lvcreate -l 100%FREE -n home $vgname

Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also AskUbuntu: How much swap.) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux in the future without a lengthy restore process.

Install Linux

Start the installer from the USB live image and select “something else”. The logical volumes should be recognized; mark them correctly (mount points / for root and /home for home, format as ext4). The boot device should probably be the system FI partition rather than 'dm-1' (decrypted device).

When the installation has finished, *do not reboot yet*.

Make your system bootable

Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables pvname, vgname, boot_part, and crypt_part again. You can also boot again from the live image and start a fresh root shell.

First, re-open the encrypted volume (this step is necessary after a reboot):

cryptsetup luksOpen $crypt_part $pvname

Check that it worked:

blkid

This should list something like this:

/dev/mapper/decryp_pv: UUID="AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56" TYPE="LVM2_member"
/dev/mapper/decrypvg-root: UUID="54209aad-lots-more-hex-digits" TYPE="ext4"
/dev/mapper/decrypvg-swap: UUID="66e8ea45-lots-more-hex-digits" TYPE="swap"
/dev/mapper/decrypvg-home: UUID="3d1c14cf-lots-more-hex-digits" TYPE="ext4"
/dev/nvme0n1p5: UUID="15eb474f-lots-more-hex-digits" TYPE="ext4" PARTUUID="8adb0584-lots-more-hex-digits"
/dev/nvme0n1p6: UUID="84dc6495-1b73-4f10-adf9-b2ea9b8ee381" TYPE="crypto_LUKS" PARTUUID="6bc89a1e-lots-more-hex-digits"

Now enter the following command, but replace the part within the quotes by the appropriate UUIDs:

export uuid_part="uuid-of-crypto-luks-partition"

For the example above, you'd use 84dc6495-1b73-4f10-adf9-b2ea9b8ee381. Make sure that there are no extra spaces. Then, mount the root and boot directories:

cd /
mkdir /t
mount /dev/mapper/$vgname-root t
mount $boot_part t/boot
mount -t proc proc t/proc
mount -t sysfs sys t/sys
mount -o bind /dev t/dev
chroot t

You are now in the filesystem of the newly installed Linux system. Setup crypttab:

echo "$pvname UUID=$uuid_part none luks,tries=10,discard" > /etc/crypttab
cat /etc/crypttab

(If you're really paranoid, remove the discard option.) The output should look similar to this:

 decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,tries=10,discard

Setup the boot ramdisk image:

fni=/etc/initramfs-tools/conf.d/cryptroot
echo "CRYPTROOT=target=$pvname,source=/dev/disk/by-uuid/$uuid_part" > $fni
echo "-- $fni --"; cat $fni; echo "---"
update-initramfs -k all -c

And the Grub boot menu. The empty LINUX_DEFAULT value will cause your system to boot in text mode so that you can see what's going on and possibly why it is not booting.

fng=/etc/default/grub.d/51_customized.cfg
cat << EOF > $fng
# REMOVED: quiet splash 
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="cryptopts=target=$pvname,source=/dev/disk/by-uuid/$uuid_part,lvm=$vgname"
EOF
echo "-- $fng --"; cat $fng; echo "---"
update-grub

The update-grub command may give a few warnings about the boot device of the USB live image, which can be ignored.

In the future, you can edit 51_customized.cfg again, followed by update-grub to restore the graphical (but rather non-informative) boot screen.

Cleanup and reboot

Leave the chroot environment

exit

Unmount:

umount /t/boot
umount /t/proc
umount /t/sys
umount /t/dev
umount /t
swapoff -a
vgchange -a n /dev/mapper/$vgname
cryptsetup close /dev/mapper/$pvname

Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation, you'll get a “MOK” screen for this reboot only.

Password entry at reboot

If you don't get the password right at the second or later attempt, you may get stuck with a password entry prompt later on in the boot process (observed in Linux Mint 19.3).

dual_boot_with_encryption_ubuntu_linux_mint.txt · Last modified: 2020/05/24 13:01 by hankwang