The Ubuntu 16.04 installer has the option to install full disk encryption using LVM if you are erasing everything on the hard drive. However, if you want to dual boot (use some of the hard drive for Windows, and the rest for Linux) the automated installer won’t allow you to automagically use full disk encryption.
You can still make it work, but have to do a lot of manual work using a terminal from the Live CD environment. Here is a log of what I had to do to get it working for me.
Use gparted to create an ext4 /boot partition (I used 400 MB in size).
Use gparted to create a “physical volume for encryption”
Open a terminal and use the following commands to set up the volume with LUKS encryption, and then create sub-volumes of swap and root. (The directions below assume your encrypted partiton is /dev/sda6, change that as needed.)
sudo cryptsetup luksFormat /dev/sda6
You will have to type YES and enter a passphrase twice to encrypt your disk.
sudo cryptsetup luksOpen /dev/sda6 crypt6
You will be asked to re-enter the passphrase above… crypt6 is just a name I picked, you can pick any unique name here instead…
Then we set up LVM inside the encrypted partition with the following commands. I used the name vgpool for my “volume group pool” but you could use any unique name.
sudo pvcreate /dev/mapper/crypt6
sudo vgcreate vgpool /dev/mapper/crypt6
Then we create the swap partition inside (I used 3G for 3 gigs)
lvcreate -L 3G -n swap vgpool
I used the rest of the available space for the /root partition.
lvcreate -n root -l 100%FREE vgpool
Then I formatted both of them…
mkswap /dev/vgpool/swap
mkfs -t ext4 /dev/vgpool/root
At this point, I was able to go back into the Ubuntu installer and select
“Something else” for the formatting options and use the “change” option to mount the swap and root and boot partitions appropriately and proceed with the install.
You have to tell Linux to mount the encrypted filesystems upon bootup, so before you reboot for the first time at the end of the install, you need to tweak a few config files (inside the chrooted environment) as follows:
Use the “sudo blkid” command to find the UUID’s of your physical partition used for encryption…
(my UUID was for /dev/sda6 which is the physical deviced used for /dev/mapper/crypt6…)
Add an /etc/crypttab file with an entry to unencrypt and mount the LVM.
crypt6 UUID=<myUUIDfoundAbove> none luks
(I verified that /dev/mapper/vgpool-root was being mounted as / and
/dev/mapper/vgpool-swap was being mounted as swap in the fstab file…
as well as the /boot partition.)
Then I had to do some fancy work to get my /dev/sda5 boot partition mounted under the /mnt/root/boot name, and then chmod into /mnt/root, making it my new /
and update the initramfs image. I also updated the grub install, which may or may not be strictly necessary…
sudo mkdir /mnt/root
sudo mount /dev/mapper/vgpool-root /mnt/root
sudo mount /dev/sda5 /mnt/root/boot
sudo mount –bind /dev /mnt/root/dev
sudo mount –bind /dev/pts /mnt/root/dev/pts
sudo mount –bind /proc /mnt/root/proc
sudo mount –bind /sys /mnt/root/sys
sudo mount –bind /run /mnt/root/run
sudo chroot /mnt/root
update-grub
grub-install /dev/sda
update-initramfs -u -k all
#check your work:
lsinitramfs /boot/initrd* | grep cryptsetup
After all of this work, I was able to reboot and the Linux system would prompt me for the full disk encryption pass-phrase and then boot normally.
The line:
sudo vgpool /dev/mapper/crypt6
should likely be changed to:
sudo vgcreate vgpool /dev/mapper/crypt6
Also, the lvcreate, mkswap, and mkfs commands will also likely need to be prefaced with sudo unless the user is logged in as root.
After chrooting into mock root, do “mount /boot/efi” before performing grub operatins.
if the command ” update-initramfs -u -k all ” gives the error :
W: Possible missing firmware /lib/firmware/i915/kbl_dmc_ver1_01.bin for module i915
then do this (in the chroot session):
$ cd /
$ wget https://01.org/sites/default/files/downloads/intelr-graphics-linux/sklgucver61.tar.bz2 && \
tar xvjf sklgucver61.tar.bz2 && cd skl_guc_ver6_1/ && sudo ./install.sh
$ cd /
$ wget https://01.org/sites/default/files/downloads/intelr-graphics-linux/kbldmcver101.tar.bz2 && \
tar xjvf kbldmcver101.tar.bz2 && cd kbl_dmc_ver1_01/ && sudo ./install.sh
$ cd /
$ sudo update-initramfs -u -k all
You, sir, are AMAZING! Thank you so much for your help. This article worked a treat. Why this is not a standard option is beyond me.
Just one thing though, I updated the cryptab file after chroot, not before. Otherwise it can’t find it.
Arch also pointed that out, I added an “inside the chroot environment” to my post to hopefully give people a hint on that one….
Good tutorial, but I ran into a couple issues:
1) It’s not clear that the /etc/crypttab entry needs to be made **within** the chroot environment (after command “sudo chroot /mnt/root”). Otherwise you will just be editing the /etc/crypttab on your non-persistent installer OS.
2) The line “(my /dev/sda6 used for /dev/mapper/crypt6 was the UUID I needed to know”¦)” caused a lot of confusion for me. This doesn’t mean “use the UUID for /dev/mapper/crypt6”, it means “use the UUID for the physical device which /dev/mapper/crypt6 lives on”, which in your case is “/dev/sda6”.
Thanks for the comments, I’ve edited my post above to hopefully remove that confusion.
This article is gold! Thanks a lot for writing it.
Do I always have to create a boot partition, regardless whether I already have windows installed?
You will need the boot partition to hold your linux kernel and boot files. (Windows has it’s own partition that is separate from the linux partitions).
Hello,
I have got Windows 10 installed. Now I am installing Ubuntu 18.04 following this article. May I know what should be chosen for “device for bootloader”?
Thanks.
Usually this is your main hard drive, such as /dev/sda. (Most people have only one, but sometimes people install multiple drives for multiple OS’s). But really, I can’t tell you what your boot device is named, that is something you’ll have to know about your own system as it changes from computer to computer. Please be sure you have full backups (or just don’t care about anything on the disk) before doing any of the above steps.
Pingback: Installing Ubuntu 20.04 on Lenovo X1 Carbon (5th gen) with UEFI Secure Boot | Jay's Technical Talk