User Tools

Site Tools


Dual boot with encryption (Ubuntu/Linux Mint)

As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption (on a system that already has Windows installed). Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you do it wrong. The following steps worked on a new Windows-10 laptop.

Create partitions

Boot into Windows. From the start menu, run 'disk management' and shrink the Windows C: partition in order to get at least 20 GB of free space.

Boot the live USB image for Ubuntu or Mint. From a terminal, type sudo -s for a root shell and start gparted & to create two partitions:

  1. A boot partition (to be formatted as ext4); at least 300 MB; more if you expect to install a lot of kernel updates without removing the old ones. One kernel update takes about 75 MB.
  2. A second partition, using the rest of the free space. This will be the encrypted partition.

Remember the partition names, which could be something like /dev/nvme0n1p5 or /dev/sdb6.

Setup encrypted volumes

You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes.

Paste this into the root shell (replace /dev/null by the correct devices from the previous step):

export pvname=decryp_pv
export vgname=decrypvg
export boot_part=/dev/null
export crypt_part=/dev/null

The following command will create an encrypted volume. Remove the echo command once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password. I'd suggest that you pick a password or passphrase that can be entered on a plain Qwerty keyboard.

echo cryptsetup luksFormat $crypt_part

Open the new encrypted volume:

cryptsetup luksOpen $crypt_part $pvname

Create a physical volume. Dangerous! It will do this without asking for confirmation. Double-check the volume name before removing echo.

echo pvcreate /dev/mapper/$pvname

Now create the volumes:

vgcreate $vgname /dev/mapper/$pvname
lvcreate -L 4G -n swap $vgname
lvcreate -L 24G -n root $vgname
lvcreate -l 100%FREE -n home $vgname

Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also AskUbuntu: How much swap.) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux without a lengthy restore process.

Install Linux

Start the installer from the USB live image and select “something else”. The logical volumes should be recognized; mark them correctly (mount points / for root and /home for home, format as ext4). The boot device should probably be the system FI partition rather than 'dm-1' (decrypted device).

When the installation has finished, *do not reboot yet*.

Make your system bootable

Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables pvname, vgname, boot_part, and crypt_part again. You can also boot again from the live image and start a new shell again.

First, re-open the encrypted volume (necessary after a reboot):

cryptsetup luksOpen $crypt_part $pvname

Check that it worked:


This should list something like this:

/dev/mapper/decryp_pv: UUID="AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56" TYPE="LVM2_member"
/dev/mapper/decrypvg-root: UUID="54209aad-aaa2-4c9c-b871-437621ef4abf" TYPE="ext4"
/dev/mapper/decrypvg-swap: UUID="66e8ea45-3b91-4052-ba62-bf87fa4a2f5c" TYPE="swap"
/dev/mapper/decrypvg-home: UUID="3d1c14cf-1d41-42c0-957c-3c2d8301378d" TYPE="ext4"
/dev/nvme0n1p5: UUID="15eb474f-a144-442a-9f6f-c2d5801b6f32" TYPE="ext4" PARTUUID="8adb0584-4773-47d5-9fd4-dde326602fcb"
/dev/nvme0n1p6: UUID="84dc6495-1b73-4f10-adf9-b2ea9b8ee381" TYPE="crypto_LUKS" PARTUUID="6bc89a1e-a017-455a-92f1-92ed52d1404fa"

Now enter the following command, but replace the part within the quotes by the appropriate UUIDs:

export uuid_part="uuid-of-crypto-luks-partition"

For the example above, you'd use 84dc6495-1b73-4f10-adf9-b2ea9b8ee381. Make sure that there are no extra spaces. Then, mount the root and boot directories:

cd /
mkdir /t
mount /dev/mapper/$vgname-root t
mount $boot_part t/boot
mount -t proc proc t/proc
mount -t sysfs sys t/sys
mount -o bind /dev t/dev
chroot t

You are now in the filesystem of the newly installed Linux system. Setup crypttab:

echo "$pvname UUID=$uuid_part none luks,tries=10,discard" > /etc/crypttab
cat /etc/crypttab

(If you're really paranoid, remove the discard option.) The output should look similar to this:

 decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,tries=10,discard

Setup the boot ramdisk image:

echo "CRYPTROOT=target=$pvname,source=/dev/disk/by-uuid/$uuid_part" > $fni
echo "-- $fni --"; cat $fni; echo "---"
update-initramfs -k all -c

And the Grub boot menu. The empty LINUX_DEFAULT value will cause your system to boot in text mode so that you can see what's going on and possibly why it is not booting.

cat << EOF > $fng
# REMOVED: quiet splash 
echo "-- $fng --"; cat $fng; echo "---"

The update-grub command may give a few warnings about the boot device of the USB live image, which can be ignored.

Cleanup and reboot

Leave the chroot environment



umount /t/boot
umount /t/proc
umount /t/sys
umount /t/dev
umount /t
swapoff -a
vgchange -a n /dev/mapper/$vgname
cryptsetup close /dev/mapper/$pvname

Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation, you'll get a “MOK” screen for this reboot only.

dual_boot_with_encryption_ubuntu_linux_mint.txt · Last modified: 2019/08/18 19:17 by hankwang