The Ubuntu 16.04 installer has the option to install full disk encryption using LVM if you are erasing everything on the hard drive. However, if you want to dual boot (use some of the hard drive for Windows, and the rest for Linux) the automated installer won’t allow you to automagically use full disk encryption.<\/p>\n
You can still make it work, but have to do a lot of manual work using a terminal from the Live CD environment. \u00a0 Here is a log of what I had to do to get it working for me.<\/p>\n
<\/p>\n
Use gparted to create an ext4 \/boot partition (I used 400 MB in size).
\nUse gparted to create a “physical volume for encryption”<\/p>\n
Open a terminal and use the following commands to set up the volume with LUKS encryption, and then create sub-volumes of swap and root. \u00a0 (The directions below assume your encrypted partiton is \/dev\/sda6, change that as needed.)<\/p>\n
Then we set up LVM inside the encrypted partition with the following commands. I used the name vgpool for my “volume group pool” but you could use any unique name.<\/p>\n Then we create the swap partition inside (I used 3G for 3 gigs)<\/p>\n I used the rest of the available space for the \/root partition.<\/p>\n Then I formatted both of them…<\/p>\n mkfs -t ext4 \/dev\/vgpool\/root<\/p>\n At this point, I was able to go back into the Ubuntu installer and select You have to tell Linux to mount the encrypted filesystems upon bootup, so before you reboot for the first time at the end of the install, you need to tweak a few config files (inside the chrooted environment) \u00a0 as follows:<\/p>\n Use the “sudo blkid” command to find the UUID’s of your physical partition used for encryption…<\/p>\n (my UUID was for \/dev\/sda6 which is the physical deviced used for \/dev\/mapper\/crypt6…)<\/p>\n Add an \/etc\/crypttab file with an entry to unencrypt and mount the LVM.<\/p>\n (I \u00a0 verified that \/dev\/mapper\/vgpool-root was being mounted as \/ and Then I had to do some fancy work to get my \/dev\/sda5 boot partition mounted under the \/mnt\/root\/boot name, and then chmod into \/mnt\/root, making it my new \/ sudo mount \/dev\/mapper\/vgpool-root \/mnt\/root sudo mount –bind \/dev \/mnt\/root\/dev sudo chroot \/mnt\/root<\/p>\n update-grub<\/p>\n grub-install \/dev\/sda<\/p>\n update-initramfs -u -k all After all of this work, I was able to reboot and the Linux system would prompt me for the full disk encryption pass-phrase and then boot normally.<\/p>\n","protected":false},"excerpt":{"rendered":" The Ubuntu 16.04 installer has the option to install full disk encryption using LVM if you are erasing everything on the hard drive. However, if you want to dual boot (use some of the hard drive for Windows, and the … Continue reading sudo cryptsetup luksFormat \/dev\/sda6<\/code>
\nYou will have to type YES and enter a passphrase twice to encrypt your disk.<\/p>\nsudo cryptsetup luksOpen \/dev\/sda6 \u00a0 crypt6<\/code>
\nYou will be asked to re-enter the passphrase above… crypt6 is just a name I picked, you can pick any unique name here instead…<\/p>\nsudo pvcreate \/dev\/mapper\/crypt6
\nsudo vgcreate vgpool \/dev\/mapper\/crypt6<\/code><\/p>\nlvcreate -L 3G -n swap vgpool<\/code><\/p>\nlvcreate -n root -l 100%FREE vgpool<\/code><\/p>\nmkswap \/dev\/vgpool\/swap<\/code><\/p>\n
\n“Something else” for the formatting options and use the “change” option to mount the swap and root and boot partitions appropriately and proceed with the install.<\/p>\ncrypt6 UUID=<myUUIDfoundAbove> \u00a0 \u00a0 \u00a0none \u00a0 \u00a0 \u00a0luks<\/code><\/p>\n
\n\/dev\/mapper\/vgpool-swap was being mounted as swap in the fstab file…
\nas well as the \/boot partition.)<\/p>\n
\nand update the initramfs image. I also updated the grub install, which may or may not be strictly necessary…<\/p>\nsudo mkdir \/mnt\/root<\/code><\/p>\n
\nsudo mount \/dev\/sda5 \/mnt\/root\/boot<\/p>\n
\nsudo mount –bind \/dev\/pts \/mnt\/root\/dev\/pts
\nsudo mount –bind \/proc \u00a0 \/mnt\/root\/proc
\nsudo mount –bind \/sys \/mnt\/root\/sys
\nsudo mount –bind \/run \/mnt\/root\/run<\/p>\n
\n#check your work:
\nlsinitramfs \/boot\/initrd* | grep cryptsetup<\/p>\n