This guide shows how to install Ubuntu in a dual boot configuration with encryption and LVM. The method was tested only on Ubuntu 21.10. The behaviour of the installer in earlier or later versions or other flavours of Ubuntu may be different and not work.
Why would you want to do this? If you have an existing Windows installation (or any other OS) that you don’t want to mess with but you also want to install Ubuntu and keep your data encrypted then this might be useful to you. Encryption is essential to avoid your data being easily accessed if your device is lost or stolen and is required to comply with GDPR for anyone handling personal data.
Encryption has its own problems and risks, but this guide is not addressing those. I’m assuming you understand that and just want to know how to do it.
Doesn’t the installer do that anyway I here you ask? Well, no. When you fire up the installer you get some options (depending on what is already on the disk):
- Install Ubuntu alongside Windows Boot Manager – lets you shrink the Windows installation and install Ubuntu without encryption.
- Erase disk and install Ubuntu – as it says, but provides options to use LVM and encryption.
- Something else – gives you more control, but does not provide options for LVM and encryption.
If you are installing both Windows and Ubuntu from scratch then consider using the ‘Erase disk’ option and running Windows in a VM.
However, if you want to leave the existing Windows alone and dual boot with encrypted Ubuntu on LVM just using the installer then you’re out of luck. This feature has been requested for several years (and related) but has met stubborn resistance. The basic argument against seems to be that encryption doesn’t solve every problem – which is true, but doesn’t help those wanting or needing encryption.
There are various guides around that achieve this with lots of command line work. The approach here is to use the installer as much as possible and minimize use of the command line.
We are going to follow the results produced by selecting the ‘Erase disk’ option and using LVM and encryption:
- Unencrypted
/boot
and/boot/efi
partitions - Encrypted partition (LUKS2) used as a LVM Physical Volume
- Two LVM Logical Volumes: one for swap, one for root
Two things that you might question:
- Unencrypted /boot – this is a possible attack vector and other guides show how to encrypt this.
- A swap partition rather than swap file. A test install with ‘Erase disk’ and no LVM or encryption creates a swap file but a test install with ‘Erase disk’ and LVM/encryption creates a swap partition. I haven’t dug into why that is the case. Certainly, if you don’t use LVM then a swapfile is easier to alter than a partition. But if you do use LVM then I’m not clear on the pros and cons of swap file vs swap partition.
However, we’re going to assume this is a reasonable pattern to follow since it is a default one produced by the installer.
Right, enough preamble.
Steps
Do be careful to follow the steps in order.
Make sure you backup any important data. Messing about with partitions, LVM, formatting and encryption provides plenty of opportunities to trash your data! One wrong command and your data is toast. I’d suggest experimenting with this in a throw-away VM first. Your data is your responsibility. What follows are my notes of what worked for me. Use at your own risk.
Follow the installation guide until you get to Step 4. Then select ‘Try Ubuntu’ rather than ‘Install’ so you get a full desktop environment. Once booted, click on the Installer to start the installation.
At Step 6, select ‘Something else’
My system has 4 partitions: EFI and 3 Windows-related ones which are /dev/nvme0n1p1
to /dev/nvme0n1p4
We’re going to create two partitions in the free space on the disk. One for /boot
, one for encrypted content.
Click on the free space then the + icon. Fill in the details for /boot
: size 538MB, use as ext4
Click OK. This is partition 5.
Click + again and use the rest of the space for the encrypted volume.
- In ‘Use as’ select ‘physical volume for encryption’
- Choose a security key that you can remember! You need this every time you boot.
- I suggest you enable the recovery key. However, the key does not get written to the file it says so click the eye icon and copy/paste that key into a file called
recovery.key
We’ll want this later.
Click OK and it will go off and encrypt the partition. This is partition 6.
Unfortunately the installer does not let us configure logical volumes in this ‘something else’ menu option, but it can install to them if they exist, so we need to resort to the command line to create them. Fortunately, we don’t need to do much.
Leave the Installer as it is. Start a terminal window and copy these lines one by one. If your encrypted partition is not p6 or your device is not nvme0n1 then adjust appropriately!
The previous encryption step created /dev/mapper/nvme0n1p6_crypt
. Now create a PV (Physical Volume):
$ sudo pvcreate /dev/mapper/nvme0n1p6_crypt
Create a VG (Volume Group) called vgubuntu on the PV we just created:
$ sudo vgcreate vgubuntu /dev/mapper/nvme0n1p6_crypt
Create a LV (Logical Volume) called swap_1 of size 2GB in the VG vgubuntu
$ sudo lvcreate --size 2G -n swap_1 vgubuntu
Create another LV called root using all of the free space in the VG vgubuntu
$ sudo lvcreate -l 100%FREE -n root vgubuntu
Your output should look like this:
Return to the installer and click the ‘back’ button. This causes the installer to re-examine the disks and partitions.
Click the ‘Something else’ option again and you should see the new LV’s showing up.
So now we can go ahead and tell it what we want to use:
Select the root LV /dev/mapper/vgubuntu_root
. Click Change and configure as Ext4, format and mount as /
Select the swap LV /dev/mapper/vgubuntu_swap-1
. Click Change and select swap.
Select the p5 partition /dev/nvme0n1p5
that we created earlier. Click Change, select ext4, format, mount as /boot
Note: the existing EFI partition /dev/nvme0n1p1
will automatically be mounted as /boot/efi
It should look something like this:
Go ahead and click ‘Install Now’. You’ll get a warning like this:
Assuming you are happy with what it says, click ‘Continue’.
The installation will start and ask you things like setting the timezone. STOP. Leave that for now.
Because we used the installer to do the encryption and then used ‘back’, it seems to forget that a file /etc/crypttab
needs to be created on the new disk. Fortunately the file is not hard to create but we need to do it after the installation has started but before it reaches the point where it updates grub.
Open a terminal and run:
$ echo "nvme0n1p6_cryptUUID=`lsblk /dev/nvme0n1p6 -o UUID -d -n` none luks,discard" > crypttab
use cat
to check the result looks like this: (Obviously your UUID will be different)
and then copy it to the newly mounted disk:
$ sudo cp crypttab /target/etc/crypttab
Now return to the installer and continue. You may get an error about setting the recovery key. Just click OK for now.
Wait for the installer to complete. It will ask whether you want to ‘Continue testing’ or ‘Reboot now’. Don’t click either one yet! (When you do, the disks are unmounted.)
Now we’ll deal with the error about setting the recovery key. Assuming you saved the key to the file recovery.key, run the following command:
$ sudo cryptsetup luksAddKey /dev/nvme0n1p6 recovery.key
You will be prompted for an existing passphrase: enter the one you used when first setting up the encrypted device.
You also need to keep a record of that key. I suggest you copy it to the root user’s home directory on the new system for now. Obviously you need to save that somewhere else later so you can use it if you forget your usual passphrase.
$ sudo cp recovery.key /target/root/recovery.key
Now reboot. You should be prompted for your passphrase to unlock the disk and then boot into your shiny new Ubuntu system with LUKS2 encryption and LVM. Remember to save your recovery key somewhere safe.
Summary
The GUI installer offers an option to install Ubuntu with encryption and LVM if the entire disk is used but it does not provide this capability alongside existing installations. However, by using a few simple terminal commands alongside the GUI installer it is possible to overcome this and install Ubuntu on an encrypted partition with LVM independently of any other installations on the disk.