How to Make BIOS/UEFI Flash Drive with Full Disk Encryption

usb 18.04 live-usb encryption mkusb

Solution 1:

BIOS/UEFI Flash Drive with Full Disk Encryption (18.04)

I have been playing with Paddy Landau's Manual Full System Encryption: https://ubuntuforums.org/showthread.php?t=2399092

Out of the box the script works UEFI only.

With a mkusb base, almost anything BIOS/UEFI is possible.

  • Start with a default mkusb Live install to flash drive (4GB or larger).

  • Next create a mkusb Persistent install to flash drive using defaults (16GB or larger).

  • As soon as mkusb finishes with the persistent install, open gparted and delete sdx4 and sdx5.

  • Refer to https://help.ubuntu.com/community/ManualFullSystemEncryption.

  • Follow Item 6.4-Detailed process: https://help.ubuntu.com/community/ManualFullSystemEncryption/DetailedProcess.

  • Complete Item 4.2.1 Creating new partitions sdx4-system, sdx5-swap* and sdx6-data*.

  • Boot the Live USB in UEFI mode.

  • Complete Item 4.2.2-Prepare for the Installer, and start the installer.

  • Run the installer per item 4.2.3-Install Ubuntu.

At this point the flash drive will be UEFI only.

enter image description here

  • Now mount the ESP boot partition and copy ESP/EFI/ubuntu/grub/grub.cfg and overwrite ESP/boot/grub/grub.cfg.

Your Bootable flash drive will now have encrypted system, home and swap files and will boot either BIOS or UEFI.

Notes:

  • *Separate home, swap and NTFS partitions are optional.
  • Many people recommend against using swap with a bootable USB or SSD for fear of wear.
  • The swap partition, if used, can be encrypted using ecryptfs-utils.
  • The NTFS partition, if used, can be encrypted using VeraCrypt so that it can be used in both Linux and Windows.
  • If there are problems reusing the installer drive on a second encrypted install, confirm /mnt/root/ has been deleted and that the correct UUID for sdx3 has been used in fstab.
  • GParted on the encrypted drive may not work.

Solution 2:

Encrypted 20.04 Full Install USB that Boots BIOS and UEFI Modes

Ubuntu 20.04 makes full disk encryption easy.

  • Unplug HDD

  • Boot Live USB in BIOS/Legacy mode, insert Target drive.

  • Start Install Ubuntu 20.04 LTS.

  • Select Language, Keyboard, Wireless, Normal Installation, Install third Party... .

  • At Installation type Tag "Erase disk and install Ubuntu" and then select "Advanced features". Click "Use LVM with the new Ubuntu installation" and then "Encrypt the new Ubuntu installation for security".

enter image description here

  • Choose a security key. Overwrite empty disk space if inclined.

  • Select Country, then User name and Password.

  • When Installation completes the drive will boot encrypted in BIOS mode.

  • Open the 20.04 ISO file and copy boot and EFI folders to partition 1.

enter image description here

  • Copy grub.cfg from Partition 5 /boot/grub/ to Partition 1 /boot/grub/ overwriting the existing grub.cfg.

  • Re-Install GRUB:

    sudo mount /dev/sdx1 /mnt
    sudo grub-install --boot-directory=/mnt/boot /dev/sdx

Encrypted Full install USB should now boot in both BIOS and UEFI modes.

Contents of sdx1/boot/grub/ folder after reinstalling grub, sdx1/EFI/boot folder will only contain three files enter image description here

Related

I have formatted a partition for Ubuntu. How do I install it on that partition?
What do you wish developers would do differently? [closed]
Why is Google approaching my VPS machine?
What is good about the BSDs?
"A new version of /boot/grub/menu.lst is available" when upgrading Ubuntu on an AWS server
Using Https between Apache Loadbalancer and backends
How do you use systemd's journalctl patterns
What do the three columns in traceroute output mean?
What can user do with VIEW SERVER STATE permissions?
Setup a linux computer to act as a bluetooth keyboard/mouse [closed]
Ssh, run a command on login, and then Stay Logged In?
Why doesn't SSHFS let me look into a mounted directory?