My work requires us to have full-disk encryption, so these are the steps I use.
The basic idea is to create a LUKS-encrypted partition which is used as an LVM Physical Volume.
The GRUB boot partition isn't encrypted, but everything else is.
These steps tested and working on 22.04 (jammy) and 20.04 (focal).
Boot from the Ubuntu LiveUSB. I am actually using Ubuntu MATE.
Open the terminal application and become root:
sudo -s
If you're using storage which had something on it before, you might want to ATA Secure Erase and reboot again.
If using BIOS Legacy Boot, use fdisk /dev/sda
to create partitions like:
sda1
- at least 512M - type83 Linux
sda2
- rest of disk - type8e LVM
seems fine, or typee8 LUKS
If using UEFI, use gdisk /dev/sda
to create partitions like:
sda1
- at least 512M - typeEF00 EFI System Partition
sda2
- at least 512M - type8300 Linux
sda3
- rest of disk - type8309 LUKS
If using UEFI, format the EFI System Partition as FAT32:
mkfs.vfat -F 32 /dev/sda1
For the rest of this tutorial, I will refer to the LUKS partition as sdaX
. Select sda2
or sda3
as appropriate for your system.
Encrypt the LUKS partition with a passphrase:
cryptsetup luksFormat /dev/sdaX
Mount the encrypted partition with your passphrase:
cryptsetup open /dev/sdaX luks1
The encrypted partition is now mounted at /dev/mapper/luks1
.
Treat /dev/mapper/luks1
as an LVM PV and create your volumes. Mine are like:
- Volume Group
vg_hostname
- Logical Volume
lv_root
- Probably at least 20G, maybe 30 or 40 - Logical Volume
lv_swap
- Optional, maybe not desirable if you have an SSD - Logical Volume
lv_home
- Rest of the space
- Logical Volume
Commands to do this are:
pvcreate /dev/mapper/luks1
vgcreate vg_hostname /dev/mapper/luks1
lvcreate -L 30G -n lv_root vg_hostname
lvcreate -L 512M -n lv_swap vg_hostname
lvcreate -l100%FREE -n lv_home vg_hostname
Run the regular installer, choose custom partitioning.
If using BIOS Legacy Boot, set it up like:
/dev/sda1
- ext4 or XFS at/boot
/dev/mapper/vg_hostname-lv_root
- ext4 or XFS at/
(root)/dev/mapper/vg_hostname-lv_home
- ext4 or XFS at/home
- Add swap if you created it
- Install bootloader into
/dev/sda
If using UEFI, set it up like:
/dev/sda1
- EFI System Partition/dev/sda2
- ext4 or XFS at/boot
/dev/mapper/vg_hostname-lv_root
- ext4 or XFS at/
(root)/dev/mapper/vg_hostname-lv_home
- ext4 or XFS at/home
- Add swap if you created it
When the installer finishes, don't reboot.
The system currently won't boot from disk, so stay in the LiveUSB environent.
(If you accidentally do reboot, that's fine, just get back into the LiveUSB and cryptsetup open
again then pvscan; vgscan; lvscan
to find the LVM volumes)
Open the terminal application and become root:
sudo -s
We'll now create a chroot and enter the installed system:
## /target will already exist in the live environment post-install
mkdir -p /target
## mount the root filesystem at /target
mount /dev/mapper/vg_hostname-lv_root /target
## mount some extra stuff so the chroot works
for DIR in proc sys dev /etc/resolv.conf; do mount --rbind /$DIR /target/$DIR; done
## enter the chroot
chroot /target
## we are now inside the installed system, not the live environment
## the following command mounts /boot (and /boot/efi if present) so initramfs/GRUB updates work
mount -a
Get the UUID of the encrypted outer partition sdaX
with:
blkid
/dev/sdaX: UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" TYPE="crypto_LUKS"
Using the above UUID, create the file /etc/crypttab
with the contents:
luks1 UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" none luks
The none
parameter makes the system ask for passphrase on boot.
Edit /etc/default/grub
and set:
GRUB_ENABLE_CRYPTODISK=y
As of kernel 5.11.0-40-generic
there's a ~45-second pause at boot while the system tries to find a non-existent resume device, so we'll disable resume.
Create the file /etc/initramfs-tools/conf.d/noresume.conf
with contents:
RESUME=none
If you want to mount /tmp
as tmpfs
(ramdisk) then:
sudo ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
sudo systemctl enable tmp.mount
Update the initramfs for all installed kernels:
update-initramfs -u -k all
Update the GRUB bootloader config:
grub-mkconfig -o /boot/grub/grub.cfg
Exit the chroot with Ctrl+d and turn the system off gracefully with poweroff
.
Remove the LiveUSB, boot normally.
You will be asked for your encryption passphrase before boot proceeds.
- https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
man cryptsetup
man crypttab
man initramfs.conf
- https://askubuntu.com/questions/1123290/grub-timeout-in-etc-default-grub-not-changing-the-wait-time-with-lvm
- https://askubuntu.com/questions/1232004/mounting-tmp-as-tmpfs-on-ubuntu-20-04
- https://askubuntu.com/questions/1145535/stuck-on-loading-initial-ramdisk-after-upgrading
- https://wiki.archlinux.org/title/EFI_system_partition
- Jamie Bainbridge - https://superjamie.github.io/
- CC-BY-SA - https://creativecommons.org/licenses/by-sa/4.0/
- 2021-11 - First publish
- 2022-01 - Add UEFI steps, remove mid-install reboot, add license, tidy here and there
- 2022-04 - Works on 22.04 as well
- 2022-11 - Fix a typo, remove my old Asus-laptop-specific microcode workaround from a general guide
Totally agree.
For me everything was under
/
including/home
and I did this way because I primarily use logical volumes for everything. In fact I have chunked my hard disk into fixed size partitions that serve as LVM PVs. That way I am able to resize the volumes at will without having to move around partitions just because I need more space.