Bsrgvty

Question

Ubuntu 13.04 installation disk has an option to install Ubuntu encrypted using LUKS. However, there is no option to perform an encrypted installation along-side existing partitions for a dual-boot scenario.

How can I install Ubuntu encrypted alongside another partition from the live disk?

Looking at the cryptroot script, that rejected edit is actually correct. Each line in conf.d/cryptroot is treated the same as another cryptopts argument would be. Is it possible to use the installer without the decrypted partition being a volume group? I've tried and it looks like it won't let me use it without partitions. In my case it's an SSD with 3 partitions: Linux /boot, Linux /, Windows, with swap and /home being on the HDD so really no need for LVM. I'm guessing I'd have to stay with my original idea, which was to use debootstrap from the live CD. — user276047, Apr 29 '14 at 22:32
Useful guide: "How to Setup an Encrypted Ubuntu Installation?", by Gayan at HecticGeek.com - hecticgeek.com/2012/10/… — Aug 1 at 7:57

nachtigall 1697 bronze badges · Accepted Answer · 2019-09-20 06:57:26Z

First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.

This answer has been tested with Ubuntu 13.04.

Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".

Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot (in my example this is /dev/sda4).

In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1 and /dev/sda5, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3 and an ext3 partition in /dev/sda4, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:

Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and cryptcherries with a name of your choice.
```
sudo cryptsetup luksFormat /dev/sda3
sudo cryptsetup luksOpen /dev/sda3 cryptcherries
```

Warning: You'll notice that the luksFormat step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use the pv command to monitor the progress:
```
### Only for older releases, e.g. not for 19.04, `pv` is not included in the repo must be added first
# sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
# sudo apt-get update

sudo apt-get install -y pv
sudo sh -c 'exec pv -tprebB 16m /dev/zero >"$1"' _ /dev/mapper/cryptcherries
```
or, if you're doing an offline install and can't easily get pv:
```
sudo dd if=/dev/zero of=/dev/mapper/cryptcherries bs=16M
```

Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. vgcherries is the name of the volume group, and lvcherriesroot and lvcherriesswap are the names of the logical volumes, you can choose your own.
```
sudo pvcreate /dev/mapper/cryptcherries
sudo vgcreate vgcherries /dev/mapper/cryptcherries
sudo lvcreate -n lvcherriesroot -L 7.5g vgcherries
sudo lvcreate -n lvcherriesswap -L 1g vgcherries
```

Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)
```
sudo mkfs.ext4 /dev/mapper/vgcherries-lvcherriesroot
sudo mkswap /dev/mapper/vgcherries-lvcherriesswap
```

Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign / to /dev/mapper/vgcherries-lvcherriesroot and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

Once the graphical installer is finished, select "continue testing" and open a terminal.

Find the UUID of the LUKS partitions (/dev/sda3 in this case), you will need it later:

$ sudo blkid /dev/sda3
/dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS"

Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:

sudo mount /dev/mapper/vgcherries-lvcherriesroot /mnt
sudo mount /dev/sda4 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts

Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries with the name of the volume group:
```
# <target name> <source device> <key file> <options>
cryptcherries UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=vgcherries
```

Run the following command in the chrooted environment:
```
update-initramfs -k all -c
```

Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.

Check that you're using the encrypted partition for / by running mount:

$ mount
/dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
/dev/sda4 on /boot type ext3 (rw)
# rest of output cut for brevity

Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:
```
$ swapon -s
Filename Type Size Used Priority
/dev/mapper/vgcherries-lvcherriesswap partition 630780 0 -1
```

Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)

Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.

I can verify that in 15.04 you can omit steps 11, 13 and 14, and that in fact it may be necessary to omit these steps (as running update-grub in this manner caused my Windows partition to get lost.) — Jun 25 '15 at 1:21
@process91 Looks like the steps changed numbers. Now you need to ommit 12, 14, and 15. — Mar 4 '16 at 17:40
Great guide. Worked first time for Windows 10 with BitLocker and Ubuntu 16.04 omitting steps 12, 14 and 15 here. There were a couple of other stumbling blocks I noticed that could do with clarification, particularly what you select for bootloader partition (it gets installed to an existing EFI partition, but you can probably just select the disk where you're installing Ubuntu, e.g. /dev/sda). Anyone with full editor permissions welcome to copy-paste from my write up: stevenmaude.co.uk/posts/… — Nov 28 '16 at 0:46
@unhammer just edited the answer and deleted a couple of the steps, for those reading through the comments and getting confused. — Jan 18 '17 at 15:47
Author has already taken away old steps 12,14,15. So do NOT skip any steps. Works with Ubuntu Mate 16.04.1. — Feb 19 '17 at 11:22

score 10 · Accepted Answer · 2019-11-08 19:54:26Z

It is possible to create an encrypted dual-boot setup using only the GUI tools of the Ubuntu LiveCD.

Prerequisites

A USB Stick with the 19.04 Ubuntu Installer.

If you have an EFI Mainboard, make sure that the disk is using the GUID Partition table (GPT). Using an MBR disk with this method seems to fail. You can convert a MBR to GPT with Linux tools (gdisk), but you should do an backup first. If you convert the Partition table, you will need to fix the windows boot loader afterwards.

Windows

In the start bar type disk partition and select the first option (opening the disk partition manager from settings).

Shrink your primary partition to your desired Ubuntu size (I just used the default, splitting my 500GB drive into a 240GB Windows OS and 240GB unallocated space).

BIOS

Disable secure boot (if you have bitlocker you will need to renable it to securely boot into windows each time) - this is fine for me since Ubu is my primary OS, just use windoze for gaming.

Ubuntu LiveCD

Finally - Boot into the 19.04 Installer USB

Hit Enter on the default Install Ubuntu option.

When you get to the screen that says Erase entire disk and has some checkboxes, click the Something else (manual partitioning) option. Otherwise you will lose you Windows Data!

Once the disk partition manager loads your disk, you'll have a large unallocated space. Click that and hit the Add button to create partitions.

First, create a 500MB /boot partition (primary, ext4).

Second, with the rest of the space make an encrypted volume. This will create a single LV partition. Modify it to be the selected root / partition. Saying it differently, hit the "change" button on /dev/mapper/sdaX_crypt and set the mount point to /

Then the rest of the installation process will work as usual.

When you boot for the first time, log in, open a terminal, run sudo apt-get update and sudo apt dist-upgrade, reboot and log in again.

A 2GB swap file will be created automatically. If you want an 8GB one instead, read this answer.

In May 2019 this is the preferred answer (seems working since 2012, actually), no command line complication needed. In the partitioning, after creating the physical volume for encryption I didn't see the new /dev/mapper/sdaX_crypt at the top of the list. This guide has screenshots and visualizes partition formatting, it can be helpful: hecticgeek.com/2012/10/… — May 21 at 9:02
Good answer, @Falieson! But, I didn't understand it for the first 14 days and 17 hrs of research I looked at it, so I think I'm going to write my own answer with screenshots. That article posted by @firepol (hecticgeek.com/2012/10/…) was SUPER helpful, and only AFTER following that article did your answer make any sense to me. — Aug 2 at 2:49
Also, I'd like to add next time you should quit using Windows Bitlocker & switch to VeraCrypt. It's Free and Open Source, no cost, & seems to work great with dual boot. My Windows partition is using it, as well as my external hard drives & some local file-based volumes now. Here's a great intro video to VeraCrypt: youtube.com/watch?v=C25VWAGl7Tw, & their downloads page: veracrypt.fr/en/Downloads.html. For Linux-based LUKS encryption on ext4 external drives, however, I'm using the included Ubuntu Disks utility, which has a LUKS encryption checkbox when formatting. — Aug 2 at 2:50

score 5 · Accepted Answer · 2019-07-25 19:13:34Z

First, points why only encrypting the Linux partition may not be secure enough for you:

https://superuser.com/questions/1013944/encrypted-boot-in-a-luks-lvm-ubuntu-installation

https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a

https://www.reddit.com/r/linux/comments/6e5qlz/benefits_of_encrypting_the_boot_partition/

https://unix.stackexchange.com/questions/422860/why-should-we-encrypt-the-system-partition-and-not-only-home

https://www.coolgeeks101.com/howto/infrastructure/full-disk-encryption-ubuntu-usb-detached-luks-header/

https://superuser.com/questions/1324389/how-to-avoid-encrypted-boot-partition-password-prompt-in-lvm-arch-linux

Now on, I followed this tutorial:

https://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive

http://web.archive.org/web/20160402040105/http://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive

On this answer, I am presenting a step by step (with pictures) installation of Linux Mint 19.1 XFCE and Ubuntu 18.04.2, both fully encrypted in a single disk. First I installed Ubuntu 14.04.2 on /dev/sda5 and I did not create the swap partitions because Linux Mint 19.1 and Ubuntu 18.04.2 do not use them, i.e., they use swap files.

Ubuntu 18.04.2 Bionic Beaver

First, insert the Ubuntu installation media and reboot the machine into the Ubuntu live session, then, select Try Ubuntu and open one terminal, then

sudo su -

fdisk /dev/sda, then, create the following partitions

cryptsetup luksFormat /dev/sda5

cryptsetup luksOpen /dev/sda5 sda5_crypt

pvcreate /dev/mapper/sda5_crypt

vgcreate vgubuntu /dev/mapper/sda5_crypt

lvcreate -L10G -n ubuntu_root vgubuntu
- lvcreate -l 100%FREE -n ubuntu_root vgubuntu (optional, instead of running lvcreate -L10G -n ubuntu_root vgubuntu, you can run this lvcreate -l 100%FREE -n ubuntu_root vgubuntu to use your whole disk free space, instead of only 10GB)

Do not close the terminal, and open the distro installer, select Something else and install it with
- /dev/sda1 mounted as /boot partition with ext2 format
- /dev/mapper/vgubuntu-ubuntu_root mounted as / with ext4 format.
- /dev/sda as boot loader installation
- Do not mark anything else

Do not reboot, click on Continue Using Linux, and select the open terminal

mkdir /mnt/newroot

mount /dev/mapper/vgubuntu-ubuntu_root /mnt/newroot

mount -o bind /proc /mnt/newroot/proc

mount -o bind /dev /mnt/newroot/dev

mount -o bind /dev/pts /mnt/newroot/dev/pts

mount -o bind /sys /mnt/newroot/sys

cd /mnt/newroot

chroot /mnt/newroot

mount /dev/sda1 /boot

blkid /dev/sda5 (copy UUID without quotes and use it on the next step)

echo sda5_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab

Create the file /etc/grub.d/40_custom

Edit /etc/default/grub and set
- GRUB_TIMEOUT_STYLE=menu
- GRUB_TIMEOUT=10

update-initramfs -u

update-grub

exit

reboot

After rebooting your computer, select the option Ubuntu and it will correctly ask for your encryption password

After you logged in, run
- sudo apt-get update
- sudo apt-get install gparted

And by opening gparted you will find this

For more detailed instructions, read the original tutorial pointed out on the top of this question or search on google about the usage of these commands.

Linux Mint 19.1 Cinnamon

For the remaining Linux installations, reboot your Ubuntu machine, boot with Mint 19.1 (Live CD) installer, and open a terminal window

sudo su -

cryptsetup luksFormat /dev/sda6

cryptsetup luksOpen /dev/sda6 sda6_crypt

pvcreate /dev/mapper/sda6_crypt

vgcreate vgmint /dev/mapper/sda6_crypt

lvcreate -L10G -n mint_root vgmint
- lvcreate -l 100%FREE -n mint_root vgmint (optional, instead of running lvcreate -L10G -n mint_root vgmint, you can run this lvcreate -l 100%FREE -n mint_root vgmint to use you whole disk free space, instead of only 10GB)

Do not close the terminal, and open the distro installer, select Something else and install it with
- /dev/sda2 mounted as /boot partition with ext2 format
- /dev/mapper/vgmint-mint_root mounted as / with ext4 format.
- /dev/sda2 as boot loader installation (do not select /dev/sda as before)
- Do not mark anything else

Do not reboot, click on Continue Using Linux, and select the open terminal

mkdir /mnt/newroot

mount /dev/mapper/vgmint-mint_root /mnt/newroot

mount -o bind /proc /mnt/newroot/proc

mount -o bind /dev /mnt/newroot/dev

mount -o bind /dev/pts /mnt/newroot/dev/pts

mount -o bind /sys /mnt/newroot/sys

cd /mnt/newroot

chroot /mnt/newroot

mount /dev/sda2 /boot

blkid /dev/sda6 (copy UUID without quotes and use it on the next step)

echo sda6_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab

update-initramfs -u

update-grub

exit

reboot

After rebooting your computer, select the option Linux Mint on /dev/sda2

Then, it will correctly start Mint 19.1 and asked for the encryption password

After you logged in, run
- sudo apt-get update
- sudo apt-get install gparted

And by opening gparted you will find this

Related links:

How can I resize an active LVM partition?

How can I resize an LVM partition? (i.e: physical volume)

https://www.tecmint.com/extend-and-reduce-lvms-in-linux/

Grub chainloader doesn't work with Windows 8

UEFI Booting With Encrypted /boot On Ubuntu 14.04 LTS

I have 1 hard disk on my computer and it had one existing non encrypted Kubuntu 18.04. I've installed second encrypted Kubuntu 18.04 near the first non encrypted Kubuntu based on this. Now both are working well on one hard disk. Thanks for detailed answer. — Apr 22 at 17:41
The part about Linux Mint should be removed from this answer. This part is off-topic, has not been asked by OP, it makes the answer unnecessary long and leads to off-topic follow-up questions like this one. — Jul 25 at 9:11

nachtigall 1697 bronze badges · Accepted Answer · 2019-09-20 06:57:26Z

First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.

This answer has been tested with Ubuntu 13.04.

Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".

Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot (in my example this is /dev/sda4).

In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1 and /dev/sda5, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3 and an ext3 partition in /dev/sda4, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:

Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and cryptcherries with a name of your choice.
```
sudo cryptsetup luksFormat /dev/sda3
sudo cryptsetup luksOpen /dev/sda3 cryptcherries
```

Warning: You'll notice that the luksFormat step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use the pv command to monitor the progress:
```
### Only for older releases, e.g. not for 19.04, `pv` is not included in the repo must be added first
# sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
# sudo apt-get update

sudo apt-get install -y pv
sudo sh -c 'exec pv -tprebB 16m /dev/zero >"$1"' _ /dev/mapper/cryptcherries
```
or, if you're doing an offline install and can't easily get pv:
```
sudo dd if=/dev/zero of=/dev/mapper/cryptcherries bs=16M
```

Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. vgcherries is the name of the volume group, and lvcherriesroot and lvcherriesswap are the names of the logical volumes, you can choose your own.
```
sudo pvcreate /dev/mapper/cryptcherries
sudo vgcreate vgcherries /dev/mapper/cryptcherries
sudo lvcreate -n lvcherriesroot -L 7.5g vgcherries
sudo lvcreate -n lvcherriesswap -L 1g vgcherries
```

Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)
```
sudo mkfs.ext4 /dev/mapper/vgcherries-lvcherriesroot
sudo mkswap /dev/mapper/vgcherries-lvcherriesswap
```

Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign / to /dev/mapper/vgcherries-lvcherriesroot and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

Once the graphical installer is finished, select "continue testing" and open a terminal.

Find the UUID of the LUKS partitions (/dev/sda3 in this case), you will need it later:

$ sudo blkid /dev/sda3
/dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS"

Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:

sudo mount /dev/mapper/vgcherries-lvcherriesroot /mnt
sudo mount /dev/sda4 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts

Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries with the name of the volume group:
```
# <target name> <source device> <key file> <options>
cryptcherries UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=vgcherries
```

Run the following command in the chrooted environment:
```
update-initramfs -k all -c
```

Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.

Check that you're using the encrypted partition for / by running mount:

$ mount
/dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
/dev/sda4 on /boot type ext3 (rw)
# rest of output cut for brevity

Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:
```
$ swapon -s
Filename Type Size Used Priority
/dev/mapper/vgcherries-lvcherriesswap partition 630780 0 -1
```

Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)

Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.

I can verify that in 15.04 you can omit steps 11, 13 and 14, and that in fact it may be necessary to omit these steps (as running update-grub in this manner caused my Windows partition to get lost.) — Jun 25 '15 at 1:21
@process91 Looks like the steps changed numbers. Now you need to ommit 12, 14, and 15. — Mar 4 '16 at 17:40
Great guide. Worked first time for Windows 10 with BitLocker and Ubuntu 16.04 omitting steps 12, 14 and 15 here. There were a couple of other stumbling blocks I noticed that could do with clarification, particularly what you select for bootloader partition (it gets installed to an existing EFI partition, but you can probably just select the disk where you're installing Ubuntu, e.g. /dev/sda). Anyone with full editor permissions welcome to copy-paste from my write up: stevenmaude.co.uk/posts/… — Nov 28 '16 at 0:46
@unhammer just edited the answer and deleted a couple of the steps, for those reading through the comments and getting confused. — Jan 18 '17 at 15:47
Author has already taken away old steps 12,14,15. So do NOT skip any steps. Works with Ubuntu Mate 16.04.1. — Feb 19 '17 at 11:22

score 10 · Accepted Answer · 2019-11-08 19:54:26Z

It is possible to create an encrypted dual-boot setup using only the GUI tools of the Ubuntu LiveCD.

Prerequisites

A USB Stick with the 19.04 Ubuntu Installer.

If you have an EFI Mainboard, make sure that the disk is using the GUID Partition table (GPT). Using an MBR disk with this method seems to fail. You can convert a MBR to GPT with Linux tools (gdisk), but you should do an backup first. If you convert the Partition table, you will need to fix the windows boot loader afterwards.

Windows

In the start bar type disk partition and select the first option (opening the disk partition manager from settings).

Shrink your primary partition to your desired Ubuntu size (I just used the default, splitting my 500GB drive into a 240GB Windows OS and 240GB unallocated space).

BIOS

Disable secure boot (if you have bitlocker you will need to renable it to securely boot into windows each time) - this is fine for me since Ubu is my primary OS, just use windoze for gaming.

Ubuntu LiveCD

Finally - Boot into the 19.04 Installer USB

Hit Enter on the default Install Ubuntu option.

When you get to the screen that says Erase entire disk and has some checkboxes, click the Something else (manual partitioning) option. Otherwise you will lose you Windows Data!

Once the disk partition manager loads your disk, you'll have a large unallocated space. Click that and hit the Add button to create partitions.

First, create a 500MB /boot partition (primary, ext4).

Second, with the rest of the space make an encrypted volume. This will create a single LV partition. Modify it to be the selected root / partition. Saying it differently, hit the "change" button on /dev/mapper/sdaX_crypt and set the mount point to /

Then the rest of the installation process will work as usual.

When you boot for the first time, log in, open a terminal, run sudo apt-get update and sudo apt dist-upgrade, reboot and log in again.

A 2GB swap file will be created automatically. If you want an 8GB one instead, read this answer.

In May 2019 this is the preferred answer (seems working since 2012, actually), no command line complication needed. In the partitioning, after creating the physical volume for encryption I didn't see the new /dev/mapper/sdaX_crypt at the top of the list. This guide has screenshots and visualizes partition formatting, it can be helpful: hecticgeek.com/2012/10/… — May 21 at 9:02
Good answer, @Falieson! But, I didn't understand it for the first 14 days and 17 hrs of research I looked at it, so I think I'm going to write my own answer with screenshots. That article posted by @firepol (hecticgeek.com/2012/10/…) was SUPER helpful, and only AFTER following that article did your answer make any sense to me. — Aug 2 at 2:49
Also, I'd like to add next time you should quit using Windows Bitlocker & switch to VeraCrypt. It's Free and Open Source, no cost, & seems to work great with dual boot. My Windows partition is using it, as well as my external hard drives & some local file-based volumes now. Here's a great intro video to VeraCrypt: youtube.com/watch?v=C25VWAGl7Tw, & their downloads page: veracrypt.fr/en/Downloads.html. For Linux-based LUKS encryption on ext4 external drives, however, I'm using the included Ubuntu Disks utility, which has a LUKS encryption checkbox when formatting. — Aug 2 at 2:50

score 5 · Accepted Answer · 2019-07-25 19:13:34Z

First, points why only encrypting the Linux partition may not be secure enough for you:

https://superuser.com/questions/1013944/encrypted-boot-in-a-luks-lvm-ubuntu-installation

https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a

https://www.reddit.com/r/linux/comments/6e5qlz/benefits_of_encrypting_the_boot_partition/

https://unix.stackexchange.com/questions/422860/why-should-we-encrypt-the-system-partition-and-not-only-home

https://www.coolgeeks101.com/howto/infrastructure/full-disk-encryption-ubuntu-usb-detached-luks-header/

https://superuser.com/questions/1324389/how-to-avoid-encrypted-boot-partition-password-prompt-in-lvm-arch-linux

Now on, I followed this tutorial:

https://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive

http://web.archive.org/web/20160402040105/http://www.oxygenimpaired.com/multiple-linux-distro-installs-on-a-luks-encrypted-harddrive

On this answer, I am presenting a step by step (with pictures) installation of Linux Mint 19.1 XFCE and Ubuntu 18.04.2, both fully encrypted in a single disk. First I installed Ubuntu 14.04.2 on /dev/sda5 and I did not create the swap partitions because Linux Mint 19.1 and Ubuntu 18.04.2 do not use them, i.e., they use swap files.

Ubuntu 18.04.2 Bionic Beaver

First, insert the Ubuntu installation media and reboot the machine into the Ubuntu live session, then, select Try Ubuntu and open one terminal, then

sudo su -

fdisk /dev/sda, then, create the following partitions

cryptsetup luksFormat /dev/sda5

cryptsetup luksOpen /dev/sda5 sda5_crypt

pvcreate /dev/mapper/sda5_crypt

vgcreate vgubuntu /dev/mapper/sda5_crypt

lvcreate -L10G -n ubuntu_root vgubuntu
- lvcreate -l 100%FREE -n ubuntu_root vgubuntu (optional, instead of running lvcreate -L10G -n ubuntu_root vgubuntu, you can run this lvcreate -l 100%FREE -n ubuntu_root vgubuntu to use your whole disk free space, instead of only 10GB)

Do not close the terminal, and open the distro installer, select Something else and install it with
- /dev/sda1 mounted as /boot partition with ext2 format
- /dev/mapper/vgubuntu-ubuntu_root mounted as / with ext4 format.
- /dev/sda as boot loader installation
- Do not mark anything else

Do not reboot, click on Continue Using Linux, and select the open terminal

mkdir /mnt/newroot

mount /dev/mapper/vgubuntu-ubuntu_root /mnt/newroot

mount -o bind /proc /mnt/newroot/proc

mount -o bind /dev /mnt/newroot/dev

mount -o bind /dev/pts /mnt/newroot/dev/pts

mount -o bind /sys /mnt/newroot/sys

cd /mnt/newroot

chroot /mnt/newroot

mount /dev/sda1 /boot

blkid /dev/sda5 (copy UUID without quotes and use it on the next step)

echo sda5_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab

Create the file /etc/grub.d/40_custom

Edit /etc/default/grub and set
- GRUB_TIMEOUT_STYLE=menu
- GRUB_TIMEOUT=10

update-initramfs -u

update-grub

exit

reboot

After rebooting your computer, select the option Ubuntu and it will correctly ask for your encryption password

After you logged in, run
- sudo apt-get update
- sudo apt-get install gparted

And by opening gparted you will find this

For more detailed instructions, read the original tutorial pointed out on the top of this question or search on google about the usage of these commands.

Linux Mint 19.1 Cinnamon

For the remaining Linux installations, reboot your Ubuntu machine, boot with Mint 19.1 (Live CD) installer, and open a terminal window

sudo su -

cryptsetup luksFormat /dev/sda6

cryptsetup luksOpen /dev/sda6 sda6_crypt

pvcreate /dev/mapper/sda6_crypt

vgcreate vgmint /dev/mapper/sda6_crypt

lvcreate -L10G -n mint_root vgmint
- lvcreate -l 100%FREE -n mint_root vgmint (optional, instead of running lvcreate -L10G -n mint_root vgmint, you can run this lvcreate -l 100%FREE -n mint_root vgmint to use you whole disk free space, instead of only 10GB)

Do not close the terminal, and open the distro installer, select Something else and install it with
- /dev/sda2 mounted as /boot partition with ext2 format
- /dev/mapper/vgmint-mint_root mounted as / with ext4 format.
- /dev/sda2 as boot loader installation (do not select /dev/sda as before)
- Do not mark anything else

Do not reboot, click on Continue Using Linux, and select the open terminal

mkdir /mnt/newroot

mount /dev/mapper/vgmint-mint_root /mnt/newroot

mount -o bind /proc /mnt/newroot/proc

mount -o bind /dev /mnt/newroot/dev

mount -o bind /dev/pts /mnt/newroot/dev/pts

mount -o bind /sys /mnt/newroot/sys

cd /mnt/newroot

chroot /mnt/newroot

mount /dev/sda2 /boot

blkid /dev/sda6 (copy UUID without quotes and use it on the next step)

echo sda6_crypt UUID=5f22073b-b4ab-4a95-85bb-130c9d3b24e4 none luks > /etc/crypttab

update-initramfs -u

update-grub

exit

reboot

After rebooting your computer, select the option Linux Mint on /dev/sda2

Then, it will correctly start Mint 19.1 and asked for the encryption password

After you logged in, run
- sudo apt-get update
- sudo apt-get install gparted

And by opening gparted you will find this

搜尋此網誌

Bsrgvty

3 Answers
3

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

protected by Community♦ Dec 21 '14 at 18:31

3 Answers
3

3 Answers
3

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

protected by Community♦ Dec 21 '14 at 18:31

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

3 Answers 3

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

protected by Community♦ Dec 21 '14 at 18:31

3 Answers 3

3 Answers 3

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Prerequisites

Windows

BIOS

Ubuntu LiveCD

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

Ubuntu 18.04.2 Bionic Beaver

Linux Mint 19.1 Cinnamon

protected by Community♦ Dec 21 '14 at 18:31

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

3 Answers
3

3 Answers
3

3 Answers
3