These are just some quick notes about installing Ubuntu to an encrypted partition (LUKS) with LVM2 on top of it. The installer GUI has an advanced option to do this, but it is only available if you select the Erase disk and install Ubuntu option. I wanted to use this setup while preserving dual boot with Windows.
You should probably follow the following guide, instead of my instructions: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
- Encrypt /boot partition (see the linked guide above).
- Fix Windows boot loader, removed from GRUB after last
update-grub
.
This was tested with:
- Ubuntu 20.04 (Focal Fossa) on a Dell XPS 15.
- UEFI enabled
- Secure Boot enabled initially, disabled after shrinking Windows partition.
- Boot to Windows.
- Disable BitLocker on C: device.
- Shrink C: device.
- Boot with Ubuntu Live CD (Desktop).
- Choose Try Ubuntu.
- Create 2 partitions:
- One for /boot (e.g. 1G), you can encrypt it with LUKS but it needs to use
--type=luks1
for this one!. - One for the encrypted root.
- Go to a terminal:
- Identify your target partition (use
lsblk
for this), mine is/dev/nvme0n1p8
. - Create the LUKS volume:
cryptsetup luksFormat --type=luks2 /dev/nvme0n1p8
. This will prompt for setting the passphrase. - Open the LUKS volume:
cryptsetup open /dev/nvme0n1p8 cryptroot
- Create the LVM2 physical volume:
pvcreate /dev/mapper/cryptroot
- Create the LVM2 volume group:
vgcreate ubuntu-vg /dev/mapper/cryptroot
- Create the LVM2 logical volumes, for example:
-
lvcreate -L 32G -n swap ubuntu-vg
-lvcreate -L 40G -n root ubuntu-vg
-lvcreate -L 20G -n docker ubuntu-vg
-lvcreate -L 100G -n home ubuntu-vg
- Open the installer.
- On Installation type, select Something else.
- Assign the LVM logical volumes to their mount points. Do not forget the /boot and swap partitions.
- Continue as usual, when the installation finished, do not reboot, select Continue testing.
- Chroot into the installed system:
# Get LUKS UUID
blkid | grep LUKS
# chroot
mount /dev/ubuntu-vg/root /mnt
mount /dev/ubuntu-vg/home /mnt/home
# ...
mount /dev/nvme0n1p7 /boot
mount /dev/nvme0n1p1 /boot/efi
mount -o bind /dev /mnt/dev
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /run/lvm /mnt/run/lvm
echo "cryptroot UUID=<UUID here...> none luks,discard" >> /dev/crypttab
update-initramfs -k all -c
update-grub
And now reboot!