My work requires us to have full-disk encryption, so these are the steps I use.
The basic idea is to create a LUKS-encrypted partition which is used as an LVM Physical Volume.
The GRUB boot partition isn't encrypted, but everything else is.
These steps tested and working on 22.04 (jammy) and 20.04 (focal).
Boot from the Ubuntu LiveUSB. I am actually using Ubuntu MATE.
Open the terminal application and become root:
sudo -sIf you're using storage which had something on it before, you might want to ATA Secure Erase and reboot again.
If using BIOS Legacy Boot, use fdisk /dev/sda to create partitions like:
sda1- at least 512M - type83 Linuxsda2- rest of disk - type8e LVMseems fine, or typee8 LUKS
If using UEFI, use gdisk /dev/sda to create partitions like:
sda1- at least 512M - typeEF00 EFI System Partitionsda2- at least 512M - type8300 Linuxsda3- rest of disk - type8309 LUKS
If using UEFI, format the EFI System Partition as FAT32:
mkfs.vfat -F 32 /dev/sda1For the rest of this tutorial, I will refer to the LUKS partition as sdaX. Select sda2 or sda3 as appropriate for your system.
Encrypt the LUKS partition with a passphrase:
cryptsetup luksFormat /dev/sdaXMount the encrypted partition with your passphrase:
cryptsetup open /dev/sdaX luks1The encrypted partition is now mounted at /dev/mapper/luks1.
Treat /dev/mapper/luks1 as an LVM PV and create your volumes. Mine are like:
- Volume Group
vg_hostname- Logical Volume
lv_root- Probably at least 20G, maybe 30 or 40 - Logical Volume
lv_swap- Optional, maybe not desirable if you have an SSD - Logical Volume
lv_home- Rest of the space
- Logical Volume
Commands to do this are:
pvcreate /dev/mapper/luks1
vgcreate vg_hostname /dev/mapper/luks1
lvcreate -L 30G -n lv_root vg_hostname
lvcreate -L 512M -n lv_swap vg_hostname
lvcreate -l100%FREE -n lv_home vg_hostnameRun the regular installer, choose custom partitioning.
If using BIOS Legacy Boot, set it up like:
/dev/sda1- ext4 or XFS at/boot/dev/mapper/vg_hostname-lv_root- ext4 or XFS at/(root)/dev/mapper/vg_hostname-lv_home- ext4 or XFS at/home- Add swap if you created it
- Install bootloader into
/dev/sda
If using UEFI, set it up like:
/dev/sda1- EFI System Partition/dev/sda2- ext4 or XFS at/boot/dev/mapper/vg_hostname-lv_root- ext4 or XFS at/(root)/dev/mapper/vg_hostname-lv_home- ext4 or XFS at/home- Add swap if you created it
When the installer finishes, don't reboot.
The system currently won't boot from disk, so stay in the LiveUSB environent.
(If you accidentally do reboot, that's fine, just get back into the LiveUSB and cryptsetup open again then pvscan; vgscan; lvscan to find the LVM volumes)
Open the terminal application and become root:
sudo -sWe'll now create a chroot and enter the installed system:
## /target will already exist in the live environment post-install
mkdir -p /target
## mount the root filesystem at /target
mount /dev/mapper/vg_hostname-lv_root /target
## mount some extra stuff so the chroot works
for DIR in proc sys dev /etc/resolv.conf; do mount --rbind /$DIR /target/$DIR; done
## enter the chroot
chroot /target
## we are now inside the installed system, not the live environment
## the following command mounts /boot (and /boot/efi if present) so initramfs/GRUB updates work
mount -aGet the UUID of the encrypted outer partition sdaX with:
blkid
/dev/sdaX: UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" TYPE="crypto_LUKS"Using the above UUID, create the file /etc/crypttab with the contents:
luks1 UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" none luksThe none parameter makes the system ask for passphrase on boot.
Edit /etc/default/grub and set:
GRUB_ENABLE_CRYPTODISK=y
As of kernel 5.11.0-40-generic there's a ~45-second pause at boot while the system tries to find a non-existent resume device, so we'll disable resume.
Create the file /etc/initramfs-tools/conf.d/noresume.conf with contents:
RESUME=none
If you want to mount /tmp as tmpfs (ramdisk) then:
sudo ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
sudo systemctl enable tmp.mountUpdate the initramfs for all installed kernels:
update-initramfs -u -k all
Update the GRUB bootloader config:
grub-mkconfig -o /boot/grub/grub.cfg
Exit the chroot with Ctrl+d and turn the system off gracefully with poweroff.
Remove the LiveUSB, boot normally.
You will be asked for your encryption passphrase before boot proceeds.
- https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
man cryptsetupman crypttabman initramfs.conf- https://askubuntu.com/questions/1123290/grub-timeout-in-etc-default-grub-not-changing-the-wait-time-with-lvm
- https://askubuntu.com/questions/1232004/mounting-tmp-as-tmpfs-on-ubuntu-20-04
- https://askubuntu.com/questions/1145535/stuck-on-loading-initial-ramdisk-after-upgrading
- https://wiki.archlinux.org/title/EFI_system_partition
- Jamie Bainbridge - https://superjamie.github.io/
- CC-BY-SA - https://creativecommons.org/licenses/by-sa/4.0/
- 2021-11 - First publish
- 2022-01 - Add UEFI steps, remove mid-install reboot, add license, tidy here and there
- 2022-04 - Works on 22.04 as well
- 2022-11 - Fix a typo, remove my old Asus-laptop-specific microcode workaround from a general guide
I thank you. I thank you dearly. I wish luck to you, your family, and your children for 100 generations!
This was exactly what I was looking for. I spent 3 days unable to make Ubuntu work with this disc layout. I really don't know why it's that complicated.