User Tools

Site Tools


dual_boot_with_encryption_ubuntu_linux_mint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
dual_boot_with_encryption_ubuntu_linux_mint [2019/08/18 19:17]
hankwang tweak commands to work in Mint 19.2
dual_boot_with_encryption_ubuntu_linux_mint [2020/05/24 13:01] (current)
hankwang typo
Line 1: Line 1:
 ======Dual boot with encryption (Ubuntu/​Linux Mint)====== ======Dual boot with encryption (Ubuntu/​Linux Mint)======
-As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption ​(on a system that already has Windows installed). Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you do it wrong. The following steps worked on a new Windows-10 laptop.+As of 2019, the installers for Ubuntu 18.x and Mint 19.1 don't offer an option for a dual-boot system with full-disk encryption on a system that already has Windows installed. Online documentation for how to do this is rather scattered and you're likely to end up with an unbootable laptop if you make a mistake. The following steps worked on a new Windows-10 laptop.
  
 =====Create partitions===== =====Create partitions=====
-Boot into Windows. From the start menu, run 'disk management'​ and shrink the Windows C: partition in order to get at least 20 GB of free space.+Boot into Windows. From the start menu, run 'disk management'​ and shrink the Windows C: partition in order to get at least 20 GB of free space. Hold the shift key when you click "​reboot"​ and you'll get the option to boot from a USB device. Otherwise you may never see the "Press F8 to select boot device"​ prompt.
  
 Boot the live USB image for Ubuntu or Mint. From a terminal, type ''​sudo -s''​ for a root shell and start ''​gparted &''​ to create two partitions: ​ Boot the live USB image for Ubuntu or Mint. From a terminal, type ''​sudo -s''​ for a root shell and start ''​gparted &''​ to create two partitions: ​
Line 13: Line 13:
 You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes. You will setup a chain of: disk partition - virtual decrypted physical volume - volume group - logical volumes.
  
-Paste this into the root shell (replace ''/​dev/​null''​ by the correct ​devices ​from the previous step):+Paste this into the root shell (replace ''/​dev/​null''​ by the correct ​device names from the previous step):
   export pvname=decryp_pv   export pvname=decryp_pv
   export vgname=decrypvg   export vgname=decrypvg
   export boot_part=/​dev/​null   export boot_part=/​dev/​null
   export crypt_part=/​dev/​null   export crypt_part=/​dev/​null
-The following command will create an encrypted volume. Remove the ''​echo'' ​command ​once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password. I'd suggest that you pick a password or passphrase that can be entered on a plain Qwerty keyboard.+The following command will create an encrypted volume. Remove the ''​echo'' ​prefix ​once you're sure that it will turn the correct partitions into an encrypted volume. You will be asked to confirm and to enter a decryption password. ​
   echo cryptsetup luksFormat $crypt_part   echo cryptsetup luksFormat $crypt_part
 +If you don't (always) use a US Qwerty keyboard layout: be aware that can't be sure about the keyboard localization at boot time. Pick a password or passphrase that will work on either keyboard layout. Alternatively,​ add a second passphrase that is what you get if you type the same keystrokes on the wrong layout:
 +  cryptsetup luksAddKey $crypt_part # this is optional
 Open the new encrypted volume: Open the new encrypted volume:
   cryptsetup luksOpen $crypt_part $pvname   cryptsetup luksOpen $crypt_part $pvname
Line 29: Line 31:
   lvcreate -L 24G -n root $vgname   lvcreate -L 24G -n root $vgname
   lvcreate -l 100%FREE -n home $vgname   lvcreate -l 100%FREE -n home $vgname
-Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also [[https://​askubuntu.com/​questions/​49109/​i-have-16gb-ram-do-i-need-32gb-swap|AskUbuntu:​ How much swap]].) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux without a lengthy restore process. ​+Set the swap size to such that the sum of swap space and internal memory is at least 12 GB. (See also [[https://​askubuntu.com/​questions/​49109/​i-have-16gb-ram-do-i-need-32gb-swap|AskUbuntu:​ How much swap]].) If you want to be able to hibernate your laptop, you need the swap space to be at least the size of your internal memory, but since Ubuntu/Mint don't support hibernation out of the box, you will need other tweaking as well. A separate partion for /home is not strictly necessary, but it will allow you to reinstall Linux in the future ​without a lengthy restore process. ​
  
 =====Install Linux===== =====Install Linux=====
 Start the installer from the USB live image and select "​something else". The logical volumes should be recognized; mark them correctly (mount points / for root and /home for home, format as ext4). The boot device should probably be the system FI partition rather than '​dm-1'​ (decrypted device). Start the installer from the USB live image and select "​something else". The logical volumes should be recognized; mark them correctly (mount points / for root and /home for home, format as ext4). The boot device should probably be the system FI partition rather than '​dm-1'​ (decrypted device).
-  ​ + 
-When the installation has finished, *do not reboot yet*. +When the installation has finished, ​***do not reboot yet***. 
  
 =====Make your system bootable===== =====Make your system bootable=====
-Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables ''​pvname'',​ ''​vgname'',​ ''​boot_part'',​ and ''​crypt_part''​ again. ​ You can also boot again from the live image and start a new shell again.+Continue in the root shell that you opened before. If you accidentally close it, you need to set the variables ''​pvname'',​ ''​vgname'',​ ''​boot_part'',​ and ''​crypt_part''​ again. ​ You can also boot again from the live image and start a fresh root shell.
  
-First, re-open the encrypted volume (necessary after a reboot):+First, re-open the encrypted volume (this step is necessary after a reboot):
   cryptsetup luksOpen $crypt_part $pvname   cryptsetup luksOpen $crypt_part $pvname
 Check that it worked: Check that it worked:
Line 45: Line 47:
 This should list something like this: This should list something like this:
   /​dev/​mapper/​decryp_pv:​ UUID="​AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56"​ TYPE="​LVM2_member"​   /​dev/​mapper/​decryp_pv:​ UUID="​AQbmo-XVM3-CmEO-W9TL-QOLV-6XoP-XSaH56"​ TYPE="​LVM2_member"​
-  /​dev/​mapper/​decrypvg-root:​ UUID="​54209aad-aaa2-4c9c-b871-437621ef4abf" TYPE="​ext4"​ +  /​dev/​mapper/​decrypvg-root:​ UUID="​54209aad-lots-more-hex-digits" TYPE="​ext4"​ 
-  /​dev/​mapper/​decrypvg-swap:​ UUID="​66e8ea45-3b91-4052-ba62-bf87fa4a2f5c" TYPE="​swap"​ +  /​dev/​mapper/​decrypvg-swap:​ UUID="​66e8ea45-lots-more-hex-digits" TYPE="​swap"​ 
-  /​dev/​mapper/​decrypvg-home:​ UUID="​3d1c14cf-1d41-42c0-957c-3c2d8301378d" TYPE="​ext4"​ +  /​dev/​mapper/​decrypvg-home:​ UUID="​3d1c14cf-lots-more-hex-digits" TYPE="​ext4"​ 
-  /​dev/​nvme0n1p5:​ UUID="​15eb474f-a144-442a-9f6f-c2d5801b6f32" TYPE="​ext4"​ PARTUUID="​8adb0584-4773-47d5-9fd4-dde326602fcb+  /​dev/​nvme0n1p5:​ UUID="​15eb474f-lots-more-hex-digits" TYPE="​ext4"​ PARTUUID="​8adb0584-lots-more-hex-digits
-  /​dev/​nvme0n1p6:​ UUID="​84dc6495-1b73-4f10-adf9-b2ea9b8ee381"​ TYPE="​crypto_LUKS"​ PARTUUID="​6bc89a1e-a017-455a-92f1-92ed52d1404fa"+  /​dev/​nvme0n1p6:​ UUID="​84dc6495-1b73-4f10-adf9-b2ea9b8ee381"​ TYPE="​crypto_LUKS"​ PARTUUID="​6bc89a1e-lots-more-hex-digits"
 Now enter the following command, but replace the part within the quotes by the appropriate UUIDs: Now enter the following command, but replace the part within the quotes by the appropriate UUIDs:
   export uuid_part="​uuid-of-crypto-luks-partition"​   export uuid_part="​uuid-of-crypto-luks-partition"​
Line 64: Line 66:
   echo "​$pvname UUID=$uuid_part none luks,​tries=10,​discard"​ > /​etc/​crypttab   echo "​$pvname UUID=$uuid_part none luks,​tries=10,​discard"​ > /​etc/​crypttab
   cat /​etc/​crypttab   cat /​etc/​crypttab
-(If you're really paranoid, remove the ''​discard''​ option.) The output should look similar to this:+(If you'​re ​[[https://​security.stackexchange.com/​questions/​68457/​security-implications-when-setting-the-discard-option-in-etc-crypttab|really]] [[https://​askubuntu.com/​questions/​399211/​is-enabling-trim-on-an-encrypted-ssd-a-security-risk|paranoid]], remove the ''​discard''​ option.) The output should look similar to this:
    ​decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,​tries=10,​discard    ​decryp_pv UUID=84dc6495-1b73-4f10-adf9-b2ea9b8ee381 none luks,​tries=10,​discard
 Setup the boot ramdisk image: Setup the boot ramdisk image:
Line 81: Line 83:
   update-grub   update-grub
 The ''​update-grub''​ command may give a few warnings about the boot device of the USB live image, which can be ignored. The ''​update-grub''​ command may give a few warnings about the boot device of the USB live image, which can be ignored.
 +
 +In the future, you can edit ''​51_customized.cfg''​ again, followed by ''​update-grub''​ to restore the graphical (but rather non-informative) boot screen.
  
 =====Cleanup and reboot===== =====Cleanup and reboot=====
Line 95: Line 99:
   cryptsetup close /​dev/​mapper/​$pvname   cryptsetup close /​dev/​mapper/​$pvname
 Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation,​ you'll get a "​MOK"​ screen for this reboot only. Now you can reboot. If you were asked during the installation process to disable secure boot for driver installation,​ you'll get a "​MOK"​ screen for this reboot only.
 +
 +=====Password entry at reboot=====
 +If you don't get the password right at the second or later attempt, you may get stuck with a password entry prompt later on in the boot process (observed in Linux Mint 19.3). ​
dual_boot_with_encryption_ubuntu_linux_mint.1566148657.txt.gz · Last modified: 2019/08/18 19:17 by hankwang