1. PLEASE READ FIRST
1.1. Ongoing or pending changes
None at this time.
1.2. Important notes — Please read first!
This is an advanced topic, and because of its complexity, it is not recommended for newcomers to Ubuntu or Linux. However, I have done my best to make this accessible to beginners, so if you are a beginner, you are welcome to try. As long as you read and understand the background and overview, and follow the instructions carefully, it "should" be safe.
This is unsupported by Canonical (the creator of Ubuntu), and the writer is just some guy, so I cannot guarantee that this process will work for you. Please back up your data prior to starting, because as with any installation, there is a chance of catastrophic data loss.
Due to a bug (see "Fix the secure boot" under "Bug requests" below), you might have to turn off your BIOS secure boot before installing. Otherwise, you might find yourself unable to boot, and thus have to redo the installation. Please visit the bug and give your support.
Some people find their computer stuck at the black screen after rebooting. If you are stuck at the black screen, please have a look at the Troubleshooting Guide — or ensure that you remembered to turn off Secure Boot.
Advanced users: You might find some useful information in an Arch Linux Full-Disk Encryption Installation Guide.
Please look at the following bug reports, and consider if you would be willing to add your support to each one of them (log in and select the green writing at the top left).
Request that this method, or something like it, be officially implemented. This has been marked as a duplicate of the next bug; it's not quite a duplicate, although it's close.
The ubiquity bug that prevents this from being run in the official installer.
Fix the secure boot to significantly improve computer security.
Unsigned kernel being loaded, preventing full implementation of secure boot.
1.3. Reporting bugs in the documentation or its process.
If you find bugs in this documentation or its process, please report the bugs in the Ubuntu Forums thread for this topic.
If it works for you, please let us know in the same thread which flavour and version you used. I'd love to know!
This document is for you if you wish to use full system encryption with all of these features:
- encrypted Boot
- manual partitioning
and optionally any of these features:
- dual-booting (e.g. with Windows)
- encrypted hibernation
- hybrid suspend
- multi-disk installation
2.1. Advanced features
The following advanced features are possible, but are not covered in this process.
- Take a snapshot of your Ubuntu system, e.g. before doing a risky upgrade, and easily roll back if required.
Requires a good knowledge of LVM, and strongly recommended to have a separate partition for /home.
- Boot from external USB
Put the two small unencrypted parts of the boot system — the bootloader and the ESP (EFI System Partition) — onto a USB stick, so that the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.
- Computer without UEFI
- This process only works on 64-bit computers with UEFI.
If you don't know whether or not your computer uses UEFI, see Basics of EFI.
- Including other systems such as Windows
It should be possible to encrypt absolutely everything, including Windows. This would require Windows or any other system to be installed after following these instructions (so, a built-in Windows installation can't be included).
- I have neither the hardware nor the time to test this, so if you try it, take great care not to lose any data. You will need to be a seasoned user who fully understands the concepts of LUKS and LVM.
Alternatively, you can run Windows inside a virtual machine inside Ubuntu. The most popular (but not the only) tools for this are VirtualBox and VMWare. Your computer needs to be sufficiently powerful to run Windows inside Ubuntu, otherwise it will slow it down considerably.
3. Advanced users and newcomers to Ubuntu
These instructions have tried to assume the least amount of prior knowledge of Linux. Seasoned users will fly through them and will find some of the instructions blatantly obvious, while newcomers will need to read the various sections carefully.
4. Paranoid mode
Encryption can be taken a touch further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.
Where appropriate, notes will be made for this in the instructions. Thinking about it, though, you are at higher risk from social engineering and online hacking.
There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all.
5.1. Software compatibility
- These instructions are not officially supported by Canonical, and so you use them at your own risk.
- This process has been tested on the following versions.
- This won't work on versions prior to 16.04 without significant change. I hope that it will work on later versions; but I'm hoping the Ubuntu installer will have been fixed before then.
- All Ubuntu-based distributions starting from 18.04 are likely to work, although this is not guaranteed.
At the time of writing, I have been told that Grub and Initramfs do not support ZFS. So, if you intend to use ZFS, please try a workaround (scroll down to "If using ZFS instead of btrfs"). I can't promise that this will work.
Dropbox has terminated support for all Linux systems unless you use unencrypted ext4 or ext4 on plain LUKS. This method uses ext4 and LUKS, but it also uses LVM, so, you won't be able to use Dropbox on your encrypted system. You can try one of the alternatives, e.g. pCloud.
5.2. Data loss
Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:
Take a full backup of all of your data before you start the process.
If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.
5.3. Hardware compatibility
These instructions are tailored for 64-bit computers with UEFI as noted in Advanced features above.
- These instructions might work on 32-bit computers with some significant modifications, but I cannot promise this. Also note the next point.
- Encrypting everything is CPU-intensive. Modern computers tend to have fast multiple 64-bit CPUs and dedicated AES (encryption) modules, so on a modern computer, this poses no problem at all. If you are using this process on an older machine, especially 32-bit, you might notice significant decreased speed.
- Hardware can be quite different, and sometimes an OEM does not properly adhere to the standards. This means that the installation cannot be guaranteed to work on your specific hardware, sorry.
- These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work with the right modifications, but I cannot promise this.
If you use the optional swap partition, the process enables hibernation and, if possible, hybrid suspend. While this should work well, some people have reported hardware that doesn't support this. So, you will need to test both hibernation and hybrid suspend on your machine after installation.
A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer, including after hibernation. This is only for access to Ubuntu; you won't need it for access to other installed systems (e.g. Windows).
- An unfortunate and inconvenient quirk is that if you mistype the system passphrase, you have to reboot your computer to try again. I don't know a way around this.
If you share your computer with anyone else, they need to know the system passphrase — but only if they use Ubuntu. You can give each user (up to seven users including you) a unique passphrase. This isn't included in the instructions, sorry.
You (and any other user) need a strong system passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's one pretty good method for paranoid mode.
Having a strong system passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:
- You cannot securely lock the computer when it is unattended and powered on.
- Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.
Remember that the system passphrase and the password for your account are not the same. One lets you access Ubuntu in the first place, whereas the other lets you log into Ubuntu after you have accessed your computer.1
5.5. System upgrades
You should always keep a spare Live USB (or Live DVD) for when one of these bugs should occur.
Whenever Ubuntu updates the kernel, Grub remains out of date because of a bug (please visit the bug if you wish to show your support). This system is designed to automatically update Grub when this happens, but if it goes amiss and you find that you cannot boot after a kernel upgrade, please see the Troubleshooting Guide, Computer fails to boot after upgrade or new installation.
If dual-booting with another system, e.g. Windows, and that system performs a significant (not necessarily large) update, or you install Windows from scratch, it might break Grub. If this should happen, use your Live USB (or Live DVD) and follow the Troubleshooting Guide, Computer fails to boot after upgrade or new installation.
6. Document Structure
Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and then only for full-disk encryption, this installation process is rather more complicated than we might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.
The Background provides summary of the options; features; benefits and downsides; and purpose and limitations.
It contains important notes and further caveats, so please read the Background before proceeding.
6.2. The basics
Understanding several concepts is necessary to successfully complete the installation.
If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise you might be confused later.
A seasoned user can skip each section where you are already familiar and experienced with the topic.
Command line interface (CLI), aka the terminal
UEFI, aka EFI
Partitioning, including naming of partitions and of file systems
6.3. High-level overview
Complete the high-level overview before you proceed. It explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.
6.4. Detailed process
The detailed process shows exactly how to prepare your system and install Ubuntu with encryption.
The process takes into account dual-booting and, optionally, paranoid mode.
Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering.
Refer to the troubleshooting guide for some pointers.
In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login. (1)