The Ubuntu installation disk has an option to install Ubuntu encrypted using LUKS. However, there is no option to perform an encrypted installation along-side existing partitions for a dual-boot scenario.
How can I install Ubuntu encrypted alongside another partition from the live disk?
First of all, if you want to install Ubuntu encrypted on a hard disk, replacing any existing partitions and operating systems, you can do this directly from the graphical installer. This manual process is only required for dual-booting.
This answer has been tested with Ubuntu 13.04.
Boot from an Ubuntu live DVD or USB stick, and select "Try Ubuntu".
Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3
. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot
(in my example this is /dev/sda4
).
In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1
and /dev/sda5
, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3
and an ext3 partition in /dev/sda4
, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:
Create a LUKS container using these commands. Replace /dev/sda3
with the unformatted partition created earlier, and cryptcherries
with a name of your choice.
sudo cryptsetup luksFormat /dev/sda3
sudo cryptsetup luksOpen /dev/sda3 cryptcherries
Warning: You'll notice that the luksFormat
step completed very quickly, because it doesn't securely erase the underlying block device. Unless you're just experimenting and don't care about security against various types of forensic attack, it is critical to properly initialize the new LUKS container before creating filesystems in it. Writing zeros to the mapped container will cause strong random data to be written to the underlying block device. This can take a while, so it's best to use the pv
command to monitor the progress:
### Only for older releases, e.g. not for 19.04, `pv` is not included in the repo must be added first
# sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
# sudo apt-get update
sudo apt-get install -y pv
sudo sh -c 'exec pv -tprebB 16m /dev/zero >"$1"' _ /dev/mapper/cryptcherries
or, if you're doing an offline install and can't easily get pv
:
sudo dd if=/dev/zero of=/dev/mapper/cryptcherries bs=16M
Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /
, and the second one will be used as swap. vgcherries
is the name of the volume group, and lvcherriesroot
and lvcherriesswap
are the names of the logical volumes, you can choose your own.
sudo pvcreate /dev/mapper/cryptcherries
sudo vgcreate vgcherries /dev/mapper/cryptcherries
sudo lvcreate -n lvcherriesroot -L 7.5g vgcherries
sudo lvcreate -n lvcherriesswap -L 1g vgcherries
Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)
sudo mkfs.ext4 /dev/mapper/vgcherries-lvcherriesroot
sudo mkswap /dev/mapper/vgcherries-lvcherriesswap
Without rebooting, install Ubuntu using the graphical installer (shortcut is on the desktop in Xubuntu 18.04), choosing manual partitioning. Assign /
to /dev/mapper/vgcherries-lvcherriesroot
and /boot
to the unencrypted partition created in step 2 (in this example,/dev/sda4
).
Once the graphical installer is finished, select "continue testing" and open a terminal.
Find the UUID of the LUKS partitions (/dev/sda3
in this case), you will need it later:
$ sudo blkid /dev/sda3
/dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS"
Mount the appropriate devices to the appropriate locations in /mnt
, and chroot into it:
sudo mount /dev/mapper/vgcherries-lvcherriesroot /mnt
sudo mount /dev/sda4 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts
Create a file named /etc/crypttab
in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries
with the name of the volume group:
# <target name> <source device> <key file> <options>
cryptcherries UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=vgcherries
Run the following command in the chrooted environment:
update-initramfs -k all -c
Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.
Check that you're using the encrypted partition for /
by running mount
:
$ mount
/dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
/dev/sda4 on /boot type ext3 (rw)
# rest of output cut for brevity
Check that you're using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:
$ swapon -s
Filename Type Size Used Priority
/dev/mapper/vgcherries-lvcherriesswap partition 630780 0 -1
Check that you can boot into recovery mode, you don't want to find out later during an emergency that recovery mode doesn't work :)
Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments