How can I install Ubuntu encrypted with LUKS with dual-boot?

Solution 1:

First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.

This answer has been tested with Ubuntu 13.04.

1. Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".

2. Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot (in my example this is /dev/sda4).

   In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1 and /dev/sda5, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3 and an ext3 partition in /dev/sda4, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:

   

3. Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and cryptcherries with a name of your choice.

   sudo cryptsetup luksFormat /dev/sda3
   sudo cryptsetup luksOpen /dev/sda3 cryptcherries
   

4. Warning: You'll notice that the luksFormat step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use the pv command to monitor the progress:

   ### Only for older releases, e.g. not for 19.04, `pv` is not included in the repo must be added first
   # sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
   # sudo apt-get update
   
   sudo apt-get install -y pv
   sudo sh -c 'exec pv -tprebB 16m /dev/zero >"$1"' _ /dev/mapper/cryptcherries
   

   or, if you're doing an offline install and can't easily get pv:

   sudo dd if=/dev/zero of=/dev/mapper/cryptcherries bs=16M
   

5. Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. vgcherries is the name of the volume group, and lvcherriesroot and lvcherriesswap are the names of the logical volumes, you can choose your own.

   sudo pvcreate /dev/mapper/cryptcherries
   sudo vgcreate vgcherries /dev/mapper/cryptcherries
   sudo lvcreate -n lvcherriesroot -L 7.5g vgcherries
   sudo lvcreate -n lvcherriesswap -L 1g vgcherries
   

6. Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)

   sudo mkfs.ext4 /dev/mapper/vgcherries-lvcherriesroot
   sudo mkswap /dev/mapper/vgcherries-lvcherriesswap
   

7. Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign / to /dev/mapper/vgcherries-lvcherriesroot and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

8. Once the graphical installer is finished, select "continue testing" and open a terminal.

9. Find the UUID of the LUKS partitions (/dev/sda3 in this case), you will need it later:

   $ sudo blkid /dev/sda3
   /dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS"
   

10. Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:

    sudo mount /dev/mapper/vgcherries-lvcherriesroot /mnt
    sudo mount /dev/sda4 /mnt/boot
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt
    > mount -t proc proc /proc
    > mount -t sysfs sys /sys
    > mount -t devpts devpts /dev/pts
    

11. Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries with the name of the volume group:

    # <target name> <source device> <key file> <options>
    cryptcherries UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=vgcherries
    

12. Run the following command in the chrooted environment:

    update-initramfs -k all -c
    

13. Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.

14. Check that you're using the encrypted partition for / by running mount:

    $ mount
    /dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
    /dev/sda4 on /boot type ext3 (rw)
    # rest of output cut for brevity
    

15. Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:

    $ swapon -s
    Filename                              Type      Size   Used Priority
    /dev/mapper/vgcherries-lvcherriesswap partition 630780 0    -1
    

16. Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)

17. Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.

Solution 2:

It is possible to create an encrypted dual-boot setup using only the GUI tools of the Ubuntu LiveCD.

Prerequisites

• A USB Stick with the 19.04 Ubuntu Installer.
• If you have an EFI Mainboard, make sure that the disk is using the GUID Partition table (GPT). Using an MBR disk with this method seems to fail. You can convert a MBR to GPT with Linux tools (gdisk), but you should do an backup first. If you convert the Partition table, you will need to fix the windows boot loader afterwards.

Windows

• In the start bar type disk partition and select the first option (opening the disk partition manager from settings).

• Shrink your primary partition to your desired Ubuntu size (I just used the default, splitting my 500GB drive into a 240GB Windows OS and 240GB unallocated space).

BIOS

• Disable secure boot (if you have bitlocker you will need to renable it to securely boot into windows each time) - this is fine for me since Ubu is my primary OS, just use windoze for gaming.

Ubuntu LiveCD

Finally - Boot into the 19.04 Installer USB

• Hit Enter on the default Install Ubuntu option.

• When you get to the screen that says Erase entire disk and has some checkboxes, click the Something else (manual partitioning) option. Otherwise you will lose you Windows Data!

Once the disk partition manager loads your disk, you'll have a large unallocated space. Click that and hit the Add button to create partitions.

• First, create a 500MB /boot partition (primary, ext4).
• Second, with the rest of the space make an encrypted volume. This will create a single LV partition. Modify it to be the selected root / partition. Saying it differently, hit the "change" button on /dev/mapper/sdaX_crypt and set the mount point to /
• Then the rest of the installation process will work as usual.

When you boot for the first time, log in, open a terminal, run sudo apt-get update and sudo apt dist-upgrade, reboot and log in again.

A 2GB swap file will be created automatically. If you want an 8GB one instead, read this answer.

Solution 3:

First, points why only encrypting the Linux partition may not be secure enough for you:

1. https://superuser.com/questions/1013944/encrypted-boot-in-a-luks-lvm-ubuntu-installation
2. https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a
3. https://www.reddit.com/r/linux/comments/6e5qlz/benefits_of_encrypting_the_boot_partition/
4. https://unix.stackexchange.com/questions/422860/why-should-we-encrypt-the-system-partition-and-not-only-home
5. https://www.coolgeeks101.com/howto/infrastructure/full-disk-encryption-ubuntu-usb-detached-luks-header/
6. https://superuser.com/questions/1324389/how-to-avoid-encrypted-boot-partition-password-prompt-in-lvm-arch-linux

Now on, I followed this tutorial:

1. https://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive
2. http://web.archive.org/web/20160402040105/http://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive

On this answer, I am presenting a step by step (with pictures) installation of Linux Mint 19.1 XFCE and Ubuntu 18.04.2, both fully encrypted in a single disk. First I installed Ubuntu 18.04.2 on /dev/sda5 and I did not create the swap partitions because Linux Mint 19.1 and Ubuntu 18.04.2 do not use them, i.e., they use swap files.

Ubuntu 18.04.2 Bionic Beaver

First, insert the Ubuntu installation media and reboot the machine into the Ubuntu live session, then, select Try Ubuntu and open one terminal, then

1. sudo su -
2. fdisk /dev/sda, then, create the following partitions
   • 
3. cryptsetup luksFormat /dev/sda5
4. cryptsetup luksOpen /dev/sda5 sda5_crypt
5. pvcreate /dev/mapper/sda5_crypt
6. vgcreate vgubuntu /dev/mapper/sda5_crypt
7. lvcreate -L10G -n ubuntu_root vgubuntu
   • lvcreate -l 100%FREE -n ubuntu_root vgubuntu (optional, instead of running lvcreate -L10G -n ubuntu_root vgubuntu, you can run this lvcreate -l 100%FREE -n ubuntu_root vgubuntu to use your whole disk free space, instead of only 10GB)
   • 
8. Do not close the terminal, and open the distro installer, select Something else and mark the following options
   • /dev/sda1 mounted as /boot partition with ext2 format
   • /dev/mapper/vgubuntu-ubuntu_root mounted as / with ext4 format.
   • /dev/sda as boot loader installation
   • Do not mark anything else
   • 
   • 
9. Select Install Now after selecting the above options
10. Do not reboot, click on Continue Using Linux, and select the open terminal
11. mkdir /mnt/newroot
12. mount /dev/mapper/vgubuntu-ubuntu_root /mnt/newroot
13. mount -o bind /proc /mnt/newroot/proc
14. mount -o bind /dev /mnt/newroot/dev
15. mount -o bind /dev/pts /mnt/newroot/dev/pts
16. mount -o bind /sys /mnt/newroot/sys
17. cd /mnt/newroot
18. chroot /mnt/newroot
19. mount /dev/sda1 /boot
20. blkid /dev/sda5 (copy UUID without quotes and use it on the next step)
21. echo sda5_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab
    • 
    • 
    • 
22. Create the file /etc/grub.d/40_custom
    • 
23. Edit /etc/default/grub and set
    • GRUB_TIMEOUT_STYLE=menu
    • GRUB_TIMEOUT=10
    • 
24. update-initramfs -u
25. update-grub
    • 
    • 
26. exit
27. reboot
28. After rebooting your computer, select the option Ubuntu and it will correctly ask for your encryption password
    • 
29. After you logged in, run
    • sudo apt-get update
    • sudo apt-get install gparted
30. And by opening gparted you will find this
    • 

For more detailed instructions, read the original tutorial pointed out on the top of this question or search on google about the usage of these commands.

Linux Mint 19.1 Cinnamon

For the remaining Linux installations, reboot your Ubuntu machine, boot with Mint 19.1 (Live CD) installer, and open a terminal window

1. sudo su -
2. cryptsetup luksFormat /dev/sda6
3. cryptsetup luksOpen /dev/sda6 sda6_crypt
4. pvcreate /dev/mapper/sda6_crypt
5. vgcreate vgmint /dev/mapper/sda6_crypt
6. lvcreate -L10G -n mint_root vgmint
   • lvcreate -l 100%FREE -n mint_root vgmint (optional, instead of running lvcreate -L10G -n mint_root vgmint, you can run this lvcreate -l 100%FREE -n mint_root vgmint to use you whole disk free space, instead of only 10GB)
   • 
   • 
7. Do not close the terminal, and open the distro installer, select Something else and mark the following options
   • /dev/sda2 mounted as /boot partition with ext2 format
   • /dev/mapper/vgmint-mint_root mounted as / with ext4 format.
   • /dev/sda2 as boot loader installation (do not select /dev/sda as before)
   • Do not mark anything else
   • 
   • 
8. Select Install Now after selecting the above options
9. Do not reboot, click on Continue Using Linux, and select the open terminal
10. mkdir /mnt/newroot
11. mount /dev/mapper/vgmint-mint_root /mnt/newroot
12. mount -o bind /proc /mnt/newroot/proc
13. mount -o bind /dev /mnt/newroot/dev
14. mount -o bind /dev/pts /mnt/newroot/dev/pts
15. mount -o bind /sys /mnt/newroot/sys
16. cd /mnt/newroot
17. chroot /mnt/newroot
18. mount /dev/sda2 /boot
19. blkid /dev/sda6 (copy UUID without quotes and use it on the next step)
20. echo sda6_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab
    • 
    • 
    • 
21. update-initramfs -u
22. update-grub
    • 
    • 
23. exit
24. reboot
25. After rebooting your computer, select the option Linux Mint on /dev/sda2
    • 
26. Then, it will correctly start Mint 19.1 and asked for the encryption password
    • 
27. After you logged in, run
    • sudo apt-get update
    • sudo apt-get install gparted
28. And by opening gparted you will find this
    • 

Related links:

1. How can I resize an active LVM partition?
2. How can I resize an LVM partition? (i.e: physical volume)
3. https://www.tecmint.com/extend-and-reduce-lvms-in-linux/
4. Grub chainloader doesn't work with Windows 8
5. UEFI Booting With Encrypted /boot On Ubuntu 14.04 LTS