Manual disk encryption on Ubuntu
Ubuntu makes it very easy to set up full disk encryption, but it requires you to wipe the entire disk if you want the wizard to do it for you, so this is how you can set it up manually.
One common reason you may want to do this is in a dual boot scenario, where one or several leading partitions are already taken – or maybe you simply want to keep whatever is there.
The option in the Ubuntu installer to “Encrypt the new Ubuntu installation for security” is only available when choosing “Erase disk and install Ubuntu”. So, if you don’t want to wipe the entire disk, but you still want to boot an encrypted root partition, it needs some preparation.
This also gives some useful insight into how the disk encryption is actually set up behind the scenes.
In this guide we will:
- Set up the partitions we want manually using
sgdisk– but you can usegpartedor similar if you prefer. - Use
cryptsetupto encrypt a partition - Decrypt (open) and mount this encrypted device, and set up LVM within it
- Have Ubuntu run its installation against the unlocked partition, like any normal installation.
- Manually configure the new installation to prompt the user for a passphrase to unlock the device on boot
This may sound like a lot, but it’s pretty straight forward.
This guide assumes that you already have, or that you will create, an EFI system partition. This is outside the scope of the guide.
Note: This post is heavily inspired by this post by Mike Kasberg.
Graphical representation#
| ### sda1 ### | ## sda2 ## | ######### sda3 ######### | -,
^-untouched ^-/boot ^- LUKS LVM (encrypted) |
|
| ####################### sda3 ####################### | <´
| ## swap (lv) ## | ########### root (lv) ########### |
Introduction#
In this example, /dev/sda1 is taken and we do not want to remove it.
After sda1, there is free space available. You may very well have
multiple partitions “taken”. If so, the partitions you create might be
sda5, or sda6 etc.
Partitions#
First, create a 2G partition for /boot (we’re not encrypting this) on
/dev/sda as partition 2, which is the next free partition number
available in this example where only sda1 exists.
sgdisk --new=2:0:+2G /dev/sda
Let the next partition 3 fill the remaining space:
sgdisk --new=3:0:0 /dev/sda
Now set the name of 2 to /boot and 3 to rootfs
sgdisk --change-name=2:/boot --change-name=3:rootfs /dev/sda
Then set the typecode to 8300 on both (Linux filesystem)
sgdisk --typecode=2:8300 --typecode=3:8300 /dev/sda
At this point, we’re going to use LUKS to encrypt what will later become
our root disk (sda3):
cryptsetup luksFormat --type=luks1 /dev/sda3
Then open it with the passphrase you chose and call it “root”, or whatever really:
cryptsetup open /dev/sda3 root
The naming root makes the unlocked device available at
/dev/mapper/root
LVM#
We can now treat this meta-device as a regular HDD and create a physical volume for LVM as you would normally:
pvcreate /dev/mapper/root
Create a volume group, then one logical volume for swap, and use the rest for our root partition.
vgcreate ubuntu-vg /dev/mapper/root
lvcreate -L 4G -n swap ubuntu-vg
lvcreate -l 100%FREE -n root ubuntu-vg
Install Ubuntu#
Since this encrypted device is already unlocked and LVM has been prepared, we can use the normal GUI installation in Ubuntu to install into it.
If you want to double check at this point, you can run gparted as root
which should show the partitions you just created.
Start the regular Ubuntu installation, select language, keyboard layout etc. and then select “Something else” when asked about how you want to install.
Here’s what we’ll do in the installation GUI:
- Edit
/dev/mapper/ubuntu--vg-root, set to ext4 mounted at/, and format it. - Edit
/dev/mapper/ubuntu--vg-swap, set to swap area. - Edit
/dev/sda2, set to ext4 mounted at/boot, and format it.
Let the installation complete, but – do not – reboot or shut down the installation (select “Continue Testing”).
The reason we must keep the installation going is that the installation wizard does not understand that it has actually installed Ubuntu into an encrypted device, so we need to add some configuration to the installation we just did while it’s still open so that it will prompt the user for the passphrase to decrypt it.
chroot into the installation#
We’ll use /target for mounting our installed system:
mount /dev/mapper/ubuntu--vg-root /target
mount /dev/sda2 /target/boot
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
Before jumping into it, we need to figure out the UUID (not PARTUUID) of the encrypted partition (/dev/sda3). This can be found by running:
blkid /dev/sda3
Save this for later.
Since /target is now a usable environment, we can chroot to it:
chroot /target
mount -a
Now create and edit /etc/crypttab which likely does not exist and add
the name for the device, the device itself (by UUID, no quotes) and some
options:
root UUID=your_uuid_here none luks,discard
Save the file, then apply your changes by running:
update-initramfs -k all -c
This will re-generate your initrd images, and when done you’re ready to reboot. After the reboot, you should be greeted with a prompt asking you for the passphrase to decrypt “root”, and that’s it!