Ubuntu: (almost) full disk encryption with manual partitioning - BIOS mode

In the previous post, I showed how to install Ubuntu with full disk encryption and manual partitioning in UEFI mode. Here’s how to do the same but with the computer booting in BIOS mode instead (for example on my mid-2010 and early-2011 MacBooks I install Ubuntu in BIOS mode due to some issues with the automatic switching between the Intel graphics card and the nVidia or AMD discrete graphics card). The same assumptions as with the other post apply here.

Installing

Before starting, back up your data if needed. Boot the system from the Ubuntu installation media in live mode (“Try Ubuntu”), then run the installer and choose “Something else” at the “Installation type” screen. At the next screen (custom partitioning):

• delete all the existing partitions
• create a new partition table
• create an ext2 partition of 512MB which will be used as boot partition
• create a partition for the remaining disk space, selecting “physical volume for encryption” from the “Use as” dropdown. Enter the passphrase you want to use to unlock the encrypted partition at boot

Quit the installer and open the terminal (ctrl-alt-t), then run:

sudo -s
dmsetup table

and take note of the device name of your unlocked crypto container (likely sda5_crypt). Next, set up LVM volumes:

vgcreate system /dev/disk/by-id/dm-name-sda5_crypt
lvcreate -L 2G -n swap system
lvcreate -L 30G -n root system
lvcreate -l 100%FREE -n home system

You don’t necessarily need a swap volume (nor does it have to be 2GB) and the root volume can be even smaller than 30GB, up to you. Reopen the installer but leave the terminal open as well. At the “Installation type” screen, select “Something else” again, then

• select the ext2 partition (/dev/sda1) and assign the /boot mount point, also checking “Format the partition”
• configure the swap volume (/dev/mapper/system-swap) as “swap area”
• configure the root volume (/dev/mapper/system-root) as “ext4 journaling file system” with mount point of “/”, and check “Format the partition”
• configure the home volume (/dev/mapper/system-home) as “ext4 journaling file system” with mount point of “/home” and check “Format the partition”
• select /dev/sda as “Device for boot loader installation”

Proceed with the installation but do not reboot when asked and do not quit the installer yet, just leave the installer’s popup alone. Then go back to the terminal you left open and run the following command to finalize the installation by installing the bootloader:

blkid /dev/sda5 => take note of uuid
echo 'sda5_crypt UUID=(uuid without quotes) none luks,discard' > /target/etc/crypttab
mount -t proc proc /target/proc/
mount --rbind /sys /target/sys/
mount --rbind /dev /target/dev/
chroot /target
update-initramfs -u
update-grub2
exit
reboot

The system will boot into the new installation requiring the passphrase to unlock the encrypted partition.

Reinstalling

• Back up your data if needed
• Boot from the Ubuntu installation media and choose “Try Ubuntu”
• Open the terminal (ctrl-alt-t) and run the following to unlock the existing encrypted partition:

sudo cryptsetup luksOpen /dev/sda5 sda5_crypt

• Run the installer leaving the terminal open and select “Something else” at the “Installation type” screen; you will see the existing LVM volumes
• Select the disk as “Device for boot loader installation” (e.g. /dev/sda)
• Select the boot partition (/dev/sda1), right-click then click “Change”; select “ext2 file system” from “Use as”, check “Format the partition” and select “/boot” as mount point
• Select the swap volume (/dev/mapper/ubuntu-swap) and configure it as “swap area”
• Select the root volume (/dev/mapper/ubuntu-root), right-click then click “Change”; select “ext4 file system” from “Use as”, check “Format the partition” and select “/” as mount point
• Select the home volume (/dev/mapper/ubuntu-home), right-click then click “Change”; select “ext4 file system” from “Use as”, do not check “Format the partition” (otherwise you will lose your data!) and select “/home” as mount point
• Proceed with the installation and of course use the same user name you had in the previous installation, so the new installation will automatically use the existing home directory. At the end of the installation do not reboot and do not exit the installer
• Go back to the terminal and run

blkid /dev/sda5 => take note of uuid
echo 'sda5_crypt UUID=(uuid without quotes) none luks,discard' > /target/etc/crypttab
mount -t proc proc /target/proc/
mount --rbind /sys /target/sys/
mount --rbind /dev /target/dev/
chroot /target
update-initramfs -u
update-grub2
exit
reboot

The system should now boot into the new installation, with your existing data in /home still there.

What to do when the system doesn’t boot

If you have made a mistake during the installation or anyway the system cannot boot properly - not even in recovery mode, you’ll need to boot from the Ubuntu installation media and chroot into the installed system and run whatever commands are required to fix the issue(s):

• Boot from the installation media and select “Try Ubuntu”
• Open the terminal, and run the following commands

sudo mkdir /mnt/root
sudo cryptsetup luksOpen /dev/sda5 sda5_crypt
sudo mount /dev/mapper/ubuntu-root /mnt/root
sudo mount --bind /dev /mnt/root/dev
sudo mount --bind /run /mnt/root/run
sudo chroot /mnt/root
umount /boot
mkdir /boot
mount /dev/sda1 /boot
mount --types=proc proc /proc
mount --types=sysfs sys /sys

(...fix stuff...)

exit
sudo reboot now

Hope this is useful to someone.