Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Ubuntu + Windows 10 dualboot with LUKS encryption
  • Based on https://gist.github.com/mdziekon/221bdb597cf32b46c50ffab96dbec08a
  • Installation date: 16-08-2019
  • Additional notes based on my own experience
  • EFI boot
  • Ubuntu 19.04 -> 21.04
  • This should work on any computer. Only the RAID > AHCI change described below and the device name for the nvme ssd drive are specific to this laptop.
  • The process describes a completely fresh installation with complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled) as long as Windows already boots with EFI.
  • The process was conducted on Dell's XPS 15 9560 (2017) with specs:
    • CPU: i7-7700HQ
    • Screen: 4K with Touch
    • RAM: 32 GB
    • Drive: 1TB nvme ssd
    • Windows 10 Pro license
    • BIOS version: 1.16.0
      • Suprisingly, Ubuntu's update manager supports BIOS updates out of the box (make sure you're connected to power then run sudo fwupdmgr refresh; sudo fwupdmgr update)
  • My installation did not require to disable TPM nor Secure Boot

Re-installation

If you're re-installing your system and have no need to re-shuffle your partitions, you can jump directly to 4.3.b (the luksOpen command). Just make sure you re-format all your partitions except for EFI (and perhaps /home, if like myself you have one).

1. Installation media

You'll need to boot first into a ubuntu installation disk (to use gparted to partition your drive), then boot into the windows installation media (to install windows) then back again the ubuntu media (to install ubuntu). So you're going to need to prep either 2 different installation medias (eg usb sticks or DVDs or whatever), or you'll need a second computer to keep overwritting the same usb stick.

  1. Create Windows installation USB stick
    • Download .ISO file from Microsoft's webpage
    • Create bootable USB using WoeUSB - do not use Startup Disk Creator utility or the Disks app, won't work for Windows installation media)
  2. Create Ubuntu installation USB stick
    • Download .ISO file from Ubuntu's webpage
    • Create bootable USB using "whatever" (gnome disks or Startup Disk Creator utility)
  3. Go to BIOS (F2) and switch from SSD's "RAID" to "AHCI" mode on some laptop models (like XPS 9560)

2. Partitioning

Important: There's currently no easy way to make grub work with an encrypted partition. Make sure /boot and /boot/EFI are their own partitions and left unencrypted.

  1. Boot into an ubuntu live cd session
  2. Open gparted
  3. Delete all partitions on disk
  4. Create GPT partition table: device > new partition table > choose GPT (this is required for EFI)
  5. Create the following:
    1. 550MiB FAT32 (label EFI - label is for our own benefit, doesn't actually mark this partition as EFI)
    2. 550MiB EXT4 (for Linux boot)
    3. Create your windows partitions as NTFS
    4. Leave enough unallocated space for Ubuntu. Don't create a partition here yet - Windows needs to automatically create an additional 16MiB partition during installation. Dunno what it is for tbh.
  6. Apply changes
  7. Right click on the FAT32 partition you created for EFI partition above > manage flags. Set esp (boot might auto-check itself too). This will mark the partition to use as EFI by both Windows and Ubuntu installations. You might need to apply changes again.

3. Install Windows

  1. Boot from the windows usb pendrive
  2. Install Windows on whatever partition you created earlier
  3. Windows is done at this point - you could go in and setup windows (encryption, drivers, etc) but I'd recommend to set up ubuntu first - the process, if done wrong, can potentially bork your set up and you'll need to start again.

4. Install Ubuntu

  1. Boot into ubuntu live cd session

  2. Open gparted, create a single ext4 partition with unallocated space. This will be for lvm/luks. The filesystem does not matter, we simply need to create a partition here so that it's allocated a device node and shows in /dev).

  3. Create LUKS container on this partition (assuming the partition device is /dev/nvme0n1p5):

    # Note luksFormat and luksOpen are case sensitive
    ~ sudo cryptsetup luksFormat /dev/nvme0n1p5
    ~ sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive
    
    # Optional, rewrite the whole of cryptdrive with crap to ensure no data from before partitioning remains. Took 2h on my 652 GiB partition on an nvme drive
    ~ sudo dd if=/dev/zero of=/dev/mapper/cryptdrive bs=16M
  4. Create LVM physical volume, a volume group & logical volumes:

    • Volumes are sized as follows (example, you should create as many partitions as you need):
      • OS drive: 60GB
      • Swap: 16GB
      • Home: rest
    • Commands (add extra lvcreate steps if you have more partitions):
    ~ sudo pvcreate /dev/mapper/cryptdrive
    ~ sudo vgcreate vglinux /dev/mapper/cryptdrive
    ~ sudo lvcreate -n root -L 60g vglinux
    ~ sudo lvcreate -n swap -L 16g vglinux
    ~ sudo lvcreate -n home -l 100%FREE vglinux
  5. Start the installation process using GUI:

    • Connect to WiFi network
    • When asked what to do with the disk, pick the option that allows you to manually repartition stuff (IIRC it was labelled Something else on 19.04 installer):
      • Pick /dev/mapper/vglinux-root as ext4 FS & mount it to /
      • Pick /dev/mapper/vglinux-home as ext4 FS & mount it to /home
      • Pick /dev/mapper/vglinux-swap as swap
      • Do the same as above if you have extra partitions
      • Pick /dev/nvme0n1p2 (created on step 2.5.1) as ext4 FS & mount it to /boot
        • Without doing this, installation will fail when configuring GRUB
      • Pick "boot drive" (the select list at the bottom, this is where GRUB goes) and assign it to /dev/nvme0n1p2 or /dev/nvem0n1
    • Proceed with the installation
  6. After GUI installation completes, stay within the Live USB environment

  7. Check the UUID of the LUKS drive:

    • sudo blkid /dev/nvme0n1p5
    • Example output:
      • /dev/nvme0n1p5: UUID="abcdefgh-1234-5678-9012-abcdefghijklm" TYPE="crypto_LUKS"
  8. Mount root & boot drives and chroot into the main mount:

    ~ sudo mount /dev/mapper/vglinux-root /mnt
    ~ sudo mount /dev/nvme0n1p2 /mnt/boot
    ~ sudo mount --bind /dev /mnt/dev
    ~ sudo chroot /mnt
    ~ mount -t proc proc /proc
    ~ mount -t sysfs sys /sys
    ~ mount -t devpts devpts /dev/pts
  9. In chroot env, configure crypttab allowing to boot Ubuntu with Encryption unlocker

    • sudo nano /etc/crypttab:
      # <target name> <source device> <key file> <options>
      # options used:
      #     luks    - specifies that this is a LUKS encrypted device
      #     tries=0 - allows to re-enter password unlimited number of times
      #     discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab")
      #     loud    - display all warnings
      cryptdrive UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,tries=0,discard,loud
      
    • update-initramfs -k all -c
  10. Reboot into Ubuntu

5. Ubuntu Tweaks for XPS 9560

  1. XPS 9560 doesn't really need any workarounds or acpi boot options anymore with Ubuntu 19.04. Have a look https://github.com/stockmind/dell-xps-9560-ubuntu-respin if there's something that doesn't work. No need to download any firmware anymore for the killer wifi (always worked fine for me)
  2. Install nvidia drivers (latest available in 19.04)
  3. Undervolt? https://github.com/georgewhewell/undervolt I have a systemd service to run undervolt.py --core -125 --cache -125 --gpu -100, helps a little with power consumption and temps, especially under heavy load (around 8-10 deg C).

6. Reinstall Ubuntu

If you need to reinstall ubuntu, you should be able to jump to #4 directly. If you aren't changing your partition layout, you can go straight to #4.4 (install ubuntu), but don't forget to run sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive to mount the encrypted partition. If in doubt, just start from #4 and recreate your crypt drive.

Additional notes

  • Ubuntu (GRUB) is the default boot option, both Ubuntu and Windows should be there
  • Additionally, you can bring up the EFI boot screen pressing F12 as soon as you turn on the laptop
@peddanet
Copy link

What? I came here whether it's possible to install windows in a luks encrypted drive. It's not possible right?

@foxjaw As it is pointed out above the system consists of the following partitions:

  • boot partition (unencrypted)
  • efi partition (unencrypted)
  • windows partition (ntfs partition)
  • left over space for ext4 luks encrypted Ubuntu system

So it seems clear that you can install windows next to a luks encrypted volume. But you use Bitlocker or similar technique to encrypt the windows partition. Actually mine is left unencrypted as I use the system only for playing games...

@saintcore
Copy link

saintcore commented Sep 17, 2024

I still not believe this to the full but I've done it myself today for a friend and it works. As of today there is no need to do this manual setup of luks/lvm. The Ubuntu setup guide is finally able (it's a bit shady ngl) to do this for you:

  1. If the current windows-setup uses the full disk shrinkt the c:\ partition as much as you want to use for your new ubuntu-installation (you can use gparted for that if your still using windows 7 which doesn't allow you to shrink c:).
  2. Make sure the shrinked / now free part of the disk is not formated with any filesystem before proceeding (should be like that by default but you never know.). This is needed so that the ubuntu setup guide later on recognizes this space for usage automatically.
  3. As with the previous setup: If you have a high need of security for yourself/your setup make sure you overwrite the whole space you just made available for the new ubuntu setup. If not fragments of your previous data could be leaked due to the nature of how luks is setup by default.
  4. Now boot from the ubuntu liveusb and proceed with the setup as normal until the partioning guide is displayed. Here upfirst select the 2nd option (use the whole disk for ubuntu) and enable the advanced options. Within these options enable the luks-encryption. DON'T PROCEED WITH FORMATTING JUST NOW!
  5. Now switch back to the first option (dual boot / install ubuntu alongside windows). You will see that the enabled option for luks-encryption is greyed out below but still will be used. You can now proceed with formating and installing.

With that said I still want to put out a big thx to anyone that contributed to this guide over the years. It helped out myself here and there :)

@LukasJerabek
Copy link

@saintcore can confirm this worked flawlessly :) Thank you for the tip!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment