As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption on a system that already has Windows installed. Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you make a mistake. The following steps worked on a new Windows-10 laptop.
Boot into Windows. From the start menu, run 'disk management' and shrink the Windows C: partition in order to get at least 20 GB of free space. Hold the shift key when you click “reboot” and you'll get the option to boot from a USB device. Otherwise you may never see the “Press F8 to select boot device” prompt.
Boot the live USB image for Ubuntu or Mint. From a terminal, type sudo -s
for a root shell and start gparted &
to create two partitions:
Remember the partition names, which could be something like /dev/nvme0n1p5
or /dev/sdb6
.
You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes.
Paste this into the root shell (replace /dev/null
by the correct device names from the previous step):
export pvname=decryp_pv export vgname=decrypvg export boot_part=/dev/null export crypt_part=/dev/null
The following command will create an encrypted volume. Remove the echo
prefix once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password.
echo cryptsetup luksFormat $crypt_part
If you don't (always) use a US Qwerty keyboard layout: be aware that can't be sure about the keyboard localization at boot time. Pick a password or passphrase that will work on either keyboard layout. Alternatively, add a second passphrase that is what you get if you type the same keystrokes on the wrong layout:
cryptsetup luksAddKey $crypt_part # this is optional
Open the new encrypted volume:
cryptsetup luksOpen $crypt_part $pvname
Create a physical volume. Dangerous! It will do this without asking for confirmation. Double-check the volume name before removing echo
.
echo pvcreate /dev/mapper/$pvname
Now create the volumes (adjust sizes to taste):
vgcreate $vgname /dev/mapper/$pvname lvcreate -L 4G -n swap $vgname lvcreate -L 24G -n root $vgname lvcreate -l 100%FREE -n home $vgname
Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also AskUbuntu: How much swap.) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux in the future without a lengthy restore process.
Start the installer from the USB live image and select “something else”. The logical volumes should be recognized. Mark the partitions and volumes:
/boot
, format/
, format/home
, formatAs boot device:
/dev/nvm0n1
or /dev/sda
.When the installation has finished, do not reboot yet.
Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables pvname
, vgname
, boot_part
, and crypt_part
again. You can also boot again from the live image and start a fresh root shell.
First, re-open the encrypted volume (this step is necessary after a reboot):
cryptsetup luksOpen $crypt_part $pvname
Check that it worked:
blkid | grep ^/dev
This should list something like this:
/dev/mapper/decryp_pv: UUID="AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56" TYPE="LVM2_member" /dev/mapper/decrypvg-root: UUID="54209aad-lots-more-hex-digits" TYPE="ext4" /dev/mapper/decrypvg-swap: UUID="66e8ea45-lots-more-hex-digits" TYPE="swap" /dev/mapper/decrypvg-home: UUID="3d1c14cf-lots-more-hex-digits" TYPE="ext4" /dev/nvme0n1p5: UUID="15eb474f-lots-more-hex-digits" TYPE="ext4" PARTUUID="8adb0584-lots-more-hex-digits" /dev/nvme0n1p6: UUID="84dc6495-1b73-4f10-adf9-b2ea9b8ee381" TYPE="crypto_LUKS" PARTUUID="6bc89a1e-lots-more-hex-digits"
Now enter the following command, but replace the part within the quotes by the appropriate UUIDs:
export uuid_part="uuid-of-crypto-luks-partition"
For the example above, you'd use 84dc6495-1b73-4f10-adf9-b2ea9b8ee381
. Make sure that there are no extra spaces. Then, mount the root and boot directories:
cd / mkdir /t mount /dev/mapper/$vgname-root t mount $boot_part t/boot mount -t proc proc t/proc mount -t sysfs sys t/sys mount -o bind /dev t/dev chroot t
You are now in the filesystem of the newly installed Linux system. Setup crypttab:
echo "$pvname UUID=$uuid_part none luks,tries=10,discard" > /etc/crypttab cat /etc/crypttab
(If you're really paranoid, remove the discard
option.) The output should look similar to this:
decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,tries=10,discard
Setup the boot ramdisk image:
fni=/etc/initramfs-tools/conf.d/cryptroot echo "CRYPTROOT=target=$pvname,source=/dev/disk/by-uuid/$uuid_part" > $fni echo "-- $fni --"; cat $fni; echo "---" update-initramfs -k all -c
And the Grub boot menu. The empty LINUX_DEFAULT
value will cause your system to boot in text mode so that you can see what's going on and possibly why it is not booting.
fng=/etc/default/grub.d/51_customized.cfg cat << EOF > $fng # REMOVED: quiet splash GRUB_CMDLINE_LINUX_DEFAULT="" # On the following line, the part after ,luks should match the options in /etc/crypttab. GRUB_CMDLINE_LINUX="cryptopts=target=$pvname,source=/dev/disk/by-uuid/$uuid_part,luks,tries=10,discard" EOF echo "-- $fng --"; cat $fng; echo "---" update-grub
The update-grub
command may give a few warnings about the boot device of the USB live image, which can be ignored.
In the future, you can edit 51_customized.cfg
again, followed by update-grub
to restore the graphical (but rather non-informative) boot screen.
Leave the chroot environment
exit
Unmount:
umount /t/boot umount /t/proc umount /t/sys umount /t/dev umount /t swapoff -a vgchange -a n /dev/mapper/$vgname cryptsetup close /dev/mapper/$pvname
Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation, you'll get a “MOK” screen for this reboot only.
If you don't get the password right at the second or later attempt, you may get stuck with a password entry prompt later on in the boot process (observed in Linux Mint 19.3).