Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Ubuntu + Windows 10 dualboot with LUKS encryption
  • Based on https://gist.github.com/mdziekon/221bdb597cf32b46c50ffab96dbec08a
  • Installation date: 16-08-2019
  • Additional notes based on my own experience
  • EFI boot
  • Ubuntu 19.04 -> 21.04
  • This should work on any computer. Only the RAID > AHCI change described below and the device name for the nvme ssd drive are specific to this laptop.
  • The process describes a completely fresh installation with complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled) as long as Windows already boots with EFI.
  • The process was conducted on Dell's XPS 15 9560 (2017) with specs:
    • CPU: i7-7700HQ
    • Screen: 4K with Touch
    • RAM: 32 GB
    • Drive: 1TB nvme ssd
    • Windows 10 Pro license
    • BIOS version: 1.16.0
      • Suprisingly, Ubuntu's update manager supports BIOS updates out of the box (make sure you're connected to power then run sudo fwupdmgr refresh; sudo fwupdmgr update)
  • My installation did not require to disable TPM nor Secure Boot

Re-installation

If you're re-installing your system and have no need to re-shuffle your partitions, you can jump directly to 4.3.b (the luksOpen command). Just make sure you re-format all your partitions except for EFI (and perhaps /home, if like myself you have one).

1. Installation media

You'll need to boot first into a ubuntu installation disk (to use gparted to partition your drive), then boot into the windows installation media (to install windows) then back again the ubuntu media (to install ubuntu). So you're going to need to prep either 2 different installation medias (eg usb sticks or DVDs or whatever), or you'll need a second computer to keep overwritting the same usb stick.

  1. Create Windows installation USB stick
    • Download .ISO file from Microsoft's webpage
    • Create bootable USB using WoeUSB - do not use Startup Disk Creator utility or the Disks app, won't work for Windows installation media)
  2. Create Ubuntu installation USB stick
    • Download .ISO file from Ubuntu's webpage
    • Create bootable USB using "whatever" (gnome disks or Startup Disk Creator utility)
  3. Go to BIOS (F2) and switch from SSD's "RAID" to "AHCI" mode on some laptop models (like XPS 9560)

2. Partitioning

Important: There's currently no easy way to make grub work with an encrypted partition. Make sure /boot and /boot/EFI are their own partitions and left unencrypted.

  1. Boot into an ubuntu live cd session
  2. Open gparted
  3. Delete all partitions on disk
  4. Create GPT partition table: device > new partition table > choose GPT (this is required for EFI)
  5. Create the following:
    1. 550MiB FAT32 (label EFI - label is for our own benefit, doesn't actually mark this partition as EFI)
    2. 550MiB EXT4 (for Linux boot)
    3. Create your windows partitions as NTFS
    4. Leave enough unallocated space for Ubuntu. Don't create a partition here yet - Windows needs to automatically create an additional 16MiB partition during installation. Dunno what it is for tbh.
  6. Apply changes
  7. Right click on the FAT32 partition you created for EFI partition above > manage flags. Set esp (boot might auto-check itself too). This will mark the partition to use as EFI by both Windows and Ubuntu installations. You might need to apply changes again.

3. Install Windows

  1. Boot from the windows usb pendrive
  2. Install Windows on whatever partition you created earlier
  3. Windows is done at this point - you could go in and setup windows (encryption, drivers, etc) but I'd recommend to set up ubuntu first - the process, if done wrong, can potentially bork your set up and you'll need to start again.

4. Install Ubuntu

  1. Boot into ubuntu live cd session

  2. Open gparted, create a single ext4 partition with unallocated space. This will be for lvm/luks. The filesystem does not matter, we simply need to create a partition here so that it's allocated a device node and shows in /dev).

  3. Create LUKS container on this partition (assuming the partition device is /dev/nvme0n1p5):

    # Note luksFormat and luksOpen are case sensitive
    ~ sudo cryptsetup luksFormat /dev/nvme0n1p5
    ~ sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive
    
    # Optional, rewrite the whole of cryptdrive with crap to ensure no data from before partitioning remains. Took 2h on my 652 GiB partition on an nvme drive
    ~ sudo dd if=/dev/zero of=/dev/mapper/cryptdrive bs=16M
  4. Create LVM physical volume, a volume group & logical volumes:

    • Volumes are sized as follows (example, you should create as many partitions as you need):
      • OS drive: 60GB
      • Swap: 16GB
      • Home: rest
    • Commands (add extra lvcreate steps if you have more partitions):
    ~ sudo pvcreate /dev/mapper/cryptdrive
    ~ sudo vgcreate vglinux /dev/mapper/cryptdrive
    ~ sudo lvcreate -n root -L 60g vglinux
    ~ sudo lvcreate -n swap -L 16g vglinux
    ~ sudo lvcreate -n home -l 100%FREE vglinux
  5. Start the installation process using GUI:

    • Connect to WiFi network
    • When asked what to do with the disk, pick the option that allows you to manually repartition stuff (IIRC it was labelled Something else on 19.04 installer):
      • Pick /dev/mapper/vglinux-root as ext4 FS & mount it to /
      • Pick /dev/mapper/vglinux-home as ext4 FS & mount it to /home
      • Pick /dev/mapper/vglinux-swap as swap
      • Do the same as above if you have extra partitions
      • Pick /dev/nvme0n1p2 (created on step 2.5.1) as ext4 FS & mount it to /boot
        • Without doing this, installation will fail when configuring GRUB
      • Pick "boot drive" (the select list at the bottom, this is where GRUB goes) and assign it to /dev/nvme0n1p2 or /dev/nvem0n1
    • Proceed with the installation
  6. After GUI installation completes, stay within the Live USB environment

  7. Check the UUID of the LUKS drive:

    • sudo blkid /dev/nvme0n1p5
    • Example output:
      • /dev/nvme0n1p5: UUID="abcdefgh-1234-5678-9012-abcdefghijklm" TYPE="crypto_LUKS"
  8. Mount root & boot drives and chroot into the main mount:

    ~ sudo mount /dev/mapper/vglinux-root /mnt
    ~ sudo mount /dev/nvme0n1p2 /mnt/boot
    ~ sudo mount --bind /dev /mnt/dev
    ~ sudo chroot /mnt
    ~ mount -t proc proc /proc
    ~ mount -t sysfs sys /sys
    ~ mount -t devpts devpts /dev/pts
  9. In chroot env, configure crypttab allowing to boot Ubuntu with Encryption unlocker

    • sudo nano /etc/crypttab:
      # <target name> <source device> <key file> <options>
      # options used:
      #     luks    - specifies that this is a LUKS encrypted device
      #     tries=0 - allows to re-enter password unlimited number of times
      #     discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab")
      #     loud    - display all warnings
      cryptdrive UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,tries=0,discard,loud
      
    • update-initramfs -k all -c
  10. Reboot into Ubuntu

5. Ubuntu Tweaks for XPS 9560

  1. XPS 9560 doesn't really need any workarounds or acpi boot options anymore with Ubuntu 19.04. Have a look https://github.com/stockmind/dell-xps-9560-ubuntu-respin if there's something that doesn't work. No need to download any firmware anymore for the killer wifi (always worked fine for me)
  2. Install nvidia drivers (latest available in 19.04)
  3. Undervolt? https://github.com/georgewhewell/undervolt I have a systemd service to run undervolt.py --core -125 --cache -125 --gpu -100, helps a little with power consumption and temps, especially under heavy load (around 8-10 deg C).

6. Reinstall Ubuntu

If you need to reinstall ubuntu, you should be able to jump to #4 directly. If you aren't changing your partition layout, you can go straight to #4.4 (install ubuntu), but don't forget to run sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive to mount the encrypted partition. If in doubt, just start from #4 and recreate your crypt drive.

Additional notes

  • Ubuntu (GRUB) is the default boot option, both Ubuntu and Windows should be there
  • Additionally, you can bring up the EFI boot screen pressing F12 as soon as you turn on the laptop
@Lauriy
Copy link

Lauriy commented May 20, 2022

Thanks a bunch for this!

I set up Windows right away. Then went on with Ubuntu. Windows asked my Bitlocker recovery key after installing Ubuntu. Ofc I had it saved and the setup was saved.

@luispabon
Copy link
Author

@peddanet the fstab from the system you're operating on, of course. Within your encrypted volumes.

@jdnixx
Copy link

jdnixx commented Jul 5, 2022

Another thank you from me, this was exactly what I needed. Mucho awesome

@peddanet
Copy link

peddanet commented Jul 5, 2022

Thanks @luispabon! I was recently able to resize the luks encrypted lvm on my dual boot laptop by actually replacing the 1TB SSD by a 2 TB SSD. So I finally chose to buy a new SSD which I wanted to omit at first...

I followed these steps, which I have written down and referred at

askubuntu: trying to resize root partition using lvm doesn't work

Especially the linked
unix.stackechange
Helped me a lot! It worked perfectly for me!

@wusimfan
Copy link

For me this guide worked perfectly.
The question I'm asking myself, does this guide also apply when I have 2 drives? One for windows and one for Linux.

@luispabon
Copy link
Author

It would, but if you have 2 drives you don't need this guide. Simply use the regular ubuntu installer and enable encryption from the GUI and let the installer manage and partition the full drive.

@whowantsmybigdata
Copy link

Great! Were close to buy a second hard-drive to achieve the same and this saved me from having to!!
On my test with ubuntu and kubuntu 22.04 I had to manually put

mkfs.ext /dev/mapper/vg-linux-root
mkfs.ext /dev/mapper/vg-linux-home
mkswap /dev/mapper/vg-linux-swap

in between points 4.4 and 4.5 (so before starting to use the gui installer),
because the installer was not able to format the logical volumes itself.
Thanks a lot!

@foxjaw
Copy link

foxjaw commented Dec 28, 2023

What? I came here whether it's possible to install windows in a luks encrypted drive. It's not possible right?

@peddanet
Copy link

What? I came here whether it's possible to install windows in a luks encrypted drive. It's not possible right?

@foxjaw As it is pointed out above the system consists of the following partitions:

  • boot partition (unencrypted)
  • efi partition (unencrypted)
  • windows partition (ntfs partition)
  • left over space for ext4 luks encrypted Ubuntu system

So it seems clear that you can install windows next to a luks encrypted volume. But you use Bitlocker or similar technique to encrypt the windows partition. Actually mine is left unencrypted as I use the system only for playing games...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment