Ubuntu: (almost) full disk encryption with manual partitioning - UEFI mode

I’ve been using encryption on all of my computers for many years now, in a shape or another depending on the computer, the operating system, and the data; I like to know that if thieves get hold of my laptop or break into my house and gain physical access to my other computers, at least they won’t (easily) be able to access and exploit my data. That is because everything is encrypted, from internal drives to external drives used for backups.

I switched from Macs back to Linux a couple of years ago, and after a long distro hopping I settled once again on Ubuntu as it just works with everything without much hassle. So here I am going to describe some simple steps to install Ubuntu with an “almost” full disk encryption, while also doing manual partitioning of the disk for greater flexibility. I say “almost” full disk encryption because like in most implementations I generally leave the boot partition unencrypted, as this makes things a lot easier to set up and maintain. Everything else on the system is encrypted. Please keep in mind that this is a personal choice, so YMMV. I work from home, so I am mostly concerned with the possibility of thieves stealing my laptop while I am on the move or (less likely) gaining access to my house and thus to my other computers when I am away. I am therefore not concerned with protecting my stuff from, for example, co-workers in the same office or similar scenarios where others may be able to gain physical access to your computer any time you are away and are actually after your data, not your hardware. It is very possible in these scenarios, in fact, for an attacker to tamper with an unencrypted boot partition so to hide code that can steal your passphrase next time you enter it to unlock the encrypted disk, thus letting the attacker gain access to your unencrypted data at will. It’s actually easier than you may think - see this old article on the subject. So if you are concerned with such scenarios, then I’d recommend you look into encrypting also the boot partition (see this) - or in alternative you could set up the boot partition on a removable drive…

If instead you, like me, only need to protect your data from thieves, then the procedure I describe here will be good enough, and much simpler. The Ubuntu installer already offers the option to encrypt the disk automatically during installation, and that’s super easy as it’s done for you; however, last time I checked this stores your home directories in the root partition, rather than in a separate home partition. Therefore I prefer manual partitioning so that I can leave the existing home partition untouched when reinstalling, which is what I want most of the time.

Assumptions:

  • you are OK to leave the boot partition unencrypted
  • you want/need to install Ubuntu in UEFI mode (if you want to install Ubuntu with full disk encryption in BIOS mode instead, read the next post)
  • you are OK to use LVM together with LUKS for the encryption
  • you want a separate home partition
  • you are installing to a disk identified as /dev/sda on your system (as it’s the most common case). If your target disk is identified with another device name, then you’ll have to take that into account in the instructions that follow when I am referring to either the disk itself or the partitions within it. For example, my main disk is an NVMe SSD, so the device name is /dev/nvme0n1 and therefore the partitions are named nvme0n1pX.
  • you are OK with Ubuntu’s default encryption settings. You could format the partition to encrypt manually with custom, more secure encryption settings, but if you just want to protect your data from thieves the defaults are just fine.

Installing

First of all, back up your data! We’ll be deleting all the existing partitions from the target disk, so if you need to keep some data do a backup before starting. Then have the system boot from the Ubuntu installation media, and choose “Try Ubuntu” to start Ubuntu in live mode rather than installing it right away.

Run gparted, and do the following:

  • delete all the existing partitions on the target disk
  • create a new partition table of type gpt
  • create a fat32 partition of 256MB with name “EFI System Partition” and label “ESP”, then click “Apply” to actually create the partition
  • right-click on the partition you’ve just created, click “Manage flags” and check “esp”, then click “Apply again”
  • quit gparted

The partition you just created will be identified as /dev/sda1.

Now run the Ubuntu installer, and at the “Installation type” screen select “Something else” to continue with the custom partitioning:

  • create an ext2 partition of 512MB that will be used as /boot (the partition will be identified as /dev/sda2)
  • create a partition for the remaining disk space as “physical volume for encryption”, then enter the passphrase you want to use to unlock the encrypted partition (the partition will be identified as /dev/sda3)

Quit the installer, and open the terminal (ctrl-alt-t). The proceed with setting up the LVM volumes:

sudo -s
vgcreate system /dev/disk/by-id/dm-name_sda3_crypt
lvcreate -L 2G -n swap system
lvcreate -L 30G -n root system
lvcreate -l 100%FREE -n home system

Notes:

  • you don’t have to create a swap partition, nor does it have to be 2GB. You can skip this if you have plenty of RAM or will be using a swapfile instead
  • the root partition can be even smaller than 30GB, it’s up to you. On my desktop computer it uses only 13GB and I have quite a bit of stuff installed
  • the remaining disk space will be dedicated to the home partition

Reopen the installer leaving the terminal also open, and again choose “Something else” at the “Installation type” screen. Then:

  • select the EFI/ESP partition (/dev/sda1), right-click then click “Change”, and ensure “Use as” is set to “EFI System Partition”
  • select the boot partition (/dev/sda2), right-click then click “Change”, and ensure “Use as” is set to “ext2 file system” and the mount point to “/boot”. Then check “Format the partition” and confirm
  • select the swap volume (/dev/mapper/system-swap) if you have created it, right-click then click “Change”, and ensure “Use as” is set to “swap area”
  • select the root volume (/dev/mapper/system-root), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/”; check “Format the partition” and confirm
  • select the home volume (/dev/mapper/system-home), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/home”; check “Format the partition” and confirm
  • select /dev/sda as “Device for boot loader installation”
  • proceed with the installation but do not reboot when asked and leave the installer open

Back to the terminal, run

blkid /dev/sda3

and take note of the UUID of the encrypted partition. Then run

echo 'sda3_crypt UUID=(the uuid without quotes) none luks,discard' > /target/etc/crypttab

Next, run the following to chroot into the new installation:

mount -t proc proc /target/proc
mount --rbind /sys /target/sys
mount --rbind /dev /target/dev
chroot /target

Install the bootloader:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/sda
grub-mkconfig --output=/boot/efi/EFI/ubuntu/grub/grub.cfg
update-initramfs -ck all
exit
reboot

The system should now boot into the new installation, requiring you to enter the passphrase to unlock the disk first.

Reinstalling

Again, backup your data if needed. Then boot from the installation media and choose “Try Ubuntu” to start Ubuntu in live mode. Open the terminal and run

sudo -s
cryptsetup luksOpen /dev/sda3 sda3_crypt

Enter the passphrase to unlock the existing encrypted partition. Then run the Ubuntu installer leaving the terminal also open and choose “Something else” on the “Installation type” screen; next, configure the partitions:

  • Select the EFI partition (/dev/sda1), right-click then click “Change”, and ensure “Use as” is set to “EFI System Partition”
  • Select the boot partition (/dev/sda2), right-click then click “Change”, and ensure “Use as” is set to “ext2 file system” and the mount point to “/boot”, then check “Format the partition” and confirm
  • Select the swap volume (/dev/mapper/system-swap) if any, right-click then click “Change”, and ensure “Use as” is set to “swap area”
  • Select the root volume (/dev/mapper/system-root), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/”, then check “Format the partition” and confirm
  • Select the home volume (/dev/mapper/system-home), right-click then click “Change”, and ensure “Use as” is set to “ext4 journaling file system” and the mount point to “/home”; do not check “Format the partition” unless you don’t care about the existing data in /home
  • Select /dev/sda as “Device for boot loader installation”

Proceed with the installation but do not reboot when asked and leave the installer open. Back to the terminal, run

blkid /dev/sda3

and take note of the UUID of the encrypted partition, then run

echo 'sda3_crypt UUID=(uuid without quotes) none luks,discard' > /target/etc/crypttab

Next, run the following to chroot into the new installation

mount -t proc proc /target/proc
mount --rbind /sys /target/sys
mount --rbind /dev /target/dev
chroot /target

Next, install the bootloader

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/sda
grub-mkconfig --output=/boot/efi/EFI/ubuntu/grub/grub.cfg
update-initramfs -ck all
exit
reboot

The system should now boot into the new installation, and your data in /home should still be there unless you have chosen to format the /home partition.

What to do if/when the system doesn’t boot

If you have made a mistake during the installation or if anyway the system doesn’t boot - not even in recovery mode - then you’ll need to boot again from the installation media and chroot into the installation to fix issues.

  • Boot from the installation media and choose “Try Ubuntu” to start Ubuntu in live mode
  • Open the terminal and run the following commands to chroot into the installation to fix
sudo mkdir /mnt/root
sudo cryptsetup luksOpen /dev/sda3 sda3_crypt
sudo mount /dev/mapper/system-root /mnt/root
sudo mount --bind /dev /mnt/root/dev
sudo mount --bind /run /mnt/root/run
sudo chroot /mnt/root
umount /boot
mkdir /boot
mount /dev/sda2 /boot
mount /dev/sda1 /boot/efi
mount --types=proc proc /proc
mount --types=sysfs sys /sys

(... fix stuff ...)

exit
reboot

Hope this helps.