1. PLEASE READ FIRST
Seriously; read these notes before deciding how to proceed.
1.1. Future versions of Ubuntu
1.1.1. This process has been tested on 18.04 and 20.04 only.
This has not been tested on any other version. Therefore, use this on any other version at your own risk!
Special note for 20.04: This works only if using LUKS 1. It doesn't work with LUKS 2. I don't know why.
If you want Canonical to implement full encryption, please see the four Bug requests (below) and add your vote.
1.1.2. Expert users: Migrating from an unencrypted installation to an encrypted installation.
Thank you to Jernej Jakob, who created instructions to convert an unencrypted installation. The instructions are for PureOS, but Jernej says that it also works on Ubuntu.
1.1.3. Expert users: Installing from scratch using another — probably better — method.
I haven't tested the following, but others have reported success.
Version 18.04 (now out of date)
This alternative Full Disk Encryption by Tj looks promising.
Also look at the instructions for Debian, which might help.
There is a general explanation and how-to, which is not intended for Ubuntu, but is useful to understand the concepts.
Then look at the instructions for installing Ubuntu 20.04 on BTRFS and Timeshift. This allows snapshots, which is especially useful if you often mess about with your system and break things!
Version 20.10 and later
I have come to the point where maintaining these instructions has become too difficult for me. In addition, modern hardware is better able to deal with virtual machines. If you purchase a new computer with at least 16Gb RAM, I strongly recommend that instead of using dual boot, you install as follows.
- Install the latest Ubuntu LTS.
- Use LTS rather than the non-LTS versions, unless you want to test the beta versions.
- Be sure to choose full-disk encryption during the installation. Canonical supports this method.
This will erase your entire drive! So, first back up your data if you've already started to use the computer.
But, this will encrypt your entire drive excluding /boot and the EFI System Partition.
- Install Windows in a virtual machine. This should run well on a modern computer with at least 16Gb RAM (it does on mine).
- If you purchased a Windows computer, this process will erase the Windows partition. This means that you can use the license key that came with Windows, usually attached as a sticker to the back of your computer.
Be sure to make a note of the license key before erasing Windows from your computer.
- Be sure to test your backups, not only for your primary Ubuntu installation but also for your virtual machines.
- You don't have to dual boot; you can run multiple OSes at the same time, subject to your computer hardware.
- Your entire drive, and by extension all of your virtual machines (including Windows) will be fully encrypted.
- You don't need to be an expert user to do this.
- If you use Windows heavily, e.g. to edit large video files, you'll probably need at least 32Gb RAM.
- I have no idea if this strategy will work on Apple computers.
If you have multiple drives in the computer, e.g. a smaller SSD for your operating system and a larger hard drive for your data, you need to ensure that all of the drives are encrypted. If in doubt how to do this when installing, ask on the Ubuntu Forums subforum Installation & Upgrades.
1.2. Important notes — Please read first!
This is an advanced topic, and because of its complexity, it is not recommended for newcomers to Ubuntu or Linux. However, I have done my best to make this accessible to beginners, so if you are a beginner, you are welcome to try. As long as you read and understand the background and overview, and follow the instructions carefully, it "should" be safe.
This is unsupported by Canonical (the creator of Ubuntu), and the writer is just some guy, so I cannot guarantee that this process will work for you. Please back up your data prior to starting, because as with any installation, there is a chance of catastrophic data loss.
Due to a bug (see "Fix the secure boot" under Bug requests below), you might have to turn off your BIOS secure boot before installing. Otherwise, you might find yourself unable to boot, and thus have to redo the installation. Please visit the bug and give your support.
Some people find their computer stuck at the black screen after rebooting. If you are stuck at the black screen, please have a look at the Troubleshooting Guide — or ensure that you remembered to turn off Secure Boot.
Advanced users: You might find some useful information in an Arch Linux Full-Disk Encryption Installation Guide.
Advanced users with NVMe: You might find this thread by krisztian_andre, with a modified script, to be useful: Full System Encryption + non-bootable NVMe drive + bootable USB drive
Using BTRFS: You can find important information in Ubuntu Full System Encryption with BTRFS.
1.3. Bug requests
Please look at the following bug reports, and consider if you would be willing to add your support to each one of them (log in and select the green writing at the top left).
Request that this method, or something like it, be officially implemented. This has been marked as a duplicate of the next bug; it's not quite a duplicate, although it's close.
The ubiquity bug that prevents this from being run in the official installer.
Fix the secure boot to significantly improve computer security.
Unsigned kernel being loaded, preventing full implementation of secure boot.
1.4. Reporting bugs in the documentation or its process.
If you find bugs in this documentation or its process, please report the bugs in the Ubuntu Forums thread for this topic.
If it works for you, please let us know in the same thread which flavour and version you used. I'd love to know!
This document is for you if you wish to use full system encryption with all of these features:
- encrypted Boot
- manual partitioning
and optionally any of these features:
- dual-booting (e.g. with Windows)
- encrypted hibernation
- hybrid suspend
- multi-disk installation
2.1. Advanced features
The following advanced features are possible, but are not covered in this process.
- Take a snapshot of your Ubuntu system, e.g. before doing a risky upgrade, and easily roll back if required.
Requires a good knowledge of LVM, and strongly recommended to have a separate partition for /home.
- Boot from external USB
Put the two small unencrypted parts of the boot system — the bootloader and the ESP (EFI System Partition) — onto a USB stick, so that the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.
- Computer without UEFI
- This process only works on 64-bit computers with UEFI.
If you don't know whether or not your computer uses UEFI, see Basics of EFI.
- Including other systems such as Windows
It should be possible to encrypt absolutely everything, including Windows. This would require Windows or any other system to be installed after following these instructions (so, a built-in Windows installation can't be included).
- I have neither the hardware nor the time to test this, so if you try it, take great care not to lose any data. You will need to be a seasoned user who fully understands the concepts of LUKS and LVM.
Alternatively, you can run Windows inside a virtual machine inside Ubuntu. The most popular (but not the only) tools for this are VirtualBox and VMWare. Your computer needs to be sufficiently powerful to run Windows inside Ubuntu, otherwise it will slow it down considerably.
3. Advanced users and newcomers to Ubuntu
These instructions have tried to assume the least amount of prior knowledge of Linux. Seasoned users will fly through them and will find some of the instructions blatantly obvious, while newcomers will need to read the various sections carefully.
4. Paranoid mode
Encryption can be taken a touch further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.
Where appropriate, notes will be made for this in the instructions. Thinking about it, though, you are at higher risk from social engineering and online hacking.
There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all.
5.1. Software compatibility
- These instructions are not officially supported by Canonical, and so you use them at your own risk.
- This process has been tested on the following versions.
- This won't work on versions prior to 16.04 without significant change. I hope that it will work on later versions; but I'm hoping the Ubuntu installer will have been fixed before then.
- All Ubuntu-based distributions starting from 18.04 are likely to work, although this is not guaranteed.
At the time of writing, I have been told that Grub and Initramfs do not support ZFS. So, if you intend to use ZFS, please try a workaround (scroll down to "If using ZFS instead of btrfs"). I can't promise that this will work.
5.2. Data loss
Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:
Take a full backup of all of your data before you start the process.
If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.
5.3. Hardware compatibility
These instructions are tailored for 64-bit computers with UEFI as noted in Advanced features above.
- These instructions might work on 32-bit computers with some significant modifications, but I cannot promise this. Also note the next point.
- Encrypting everything is CPU-intensive. Modern computers tend to have fast multiple 64-bit CPUs and dedicated AES (encryption) modules, so on a modern computer, this poses no problem at all. If you are using this process on an older machine, especially 32-bit, you might notice significant decreased speed.
- Hardware can be quite different, and sometimes an OEM does not properly adhere to the standards. This means that the installation cannot be guaranteed to work on your specific hardware, sorry.
- These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work with the right modifications, but I cannot promise this.
If you use the optional swap partition, the process enables hibernation and, if possible, hybrid suspend. While this should work well, some people have reported hardware that doesn't support this. So, you will need to test both hibernation and hybrid suspend on your machine after installation.
A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer, including after hibernation. This is only for access to Ubuntu; you won't need it for access to other installed systems (e.g. Windows).
- An unfortunate and inconvenient quirk is that if you mistype the system passphrase, you have to reboot your computer to try again. I don't know a way around this.
If you share your computer with anyone else, they need to know the system passphrase — but only if they use Ubuntu. You can give each user (up to seven users including you) a unique passphrase. This isn't included in the instructions, sorry.
You (and any other user) need a strong system passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's one pretty good method for paranoid mode.
Having a strong system passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:
- You cannot securely lock the computer when it is unattended and powered on.
- Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.
Remember that the system passphrase and the password for your account are not the same. One lets you access Ubuntu in the first place, whereas the other lets you log into Ubuntu after you have accessed your computer.1
5.5. System upgrades
You should always keep a spare Live USB (or Live DVD) for when one of these bugs should occur.
Whenever Ubuntu updates the kernel, Grub remains out of date because of a bug (please visit the bug if you wish to show your support). This system is designed to automatically update Grub when this happens, but if it goes amiss and you find that you cannot boot after a kernel upgrade, please see the Troubleshooting Guide, Computer fails to boot after upgrade or new installation.
If dual-booting with another system, e.g. Windows, and that system performs a significant (not necessarily large) update, or you install Windows from scratch, it might break Grub. If this should happen, use your Live USB (or Live DVD) and follow the Troubleshooting Guide, Computer fails to boot after upgrade or new installation.
6. Document Structure
Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and then only for full-disk encryption, this installation process is rather more complicated than we might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.
The Background provides summary of the options; features; benefits and downsides; and purpose and limitations.
It contains important notes and further caveats, so please read the Background before proceeding.
6.2. The basics
Understanding several concepts is necessary to successfully complete the installation.
If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise you might be confused later.
A seasoned user can skip each section where you are already familiar and experienced with the topic.
Command line interface (CLI), aka the terminal
UEFI, aka EFI
Partitioning, including naming of partitions and of file systems
6.3. High-level overview
Complete the high-level overview before you proceed. It explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.
6.4. Detailed process
The detailed process shows exactly how to prepare your system and install Ubuntu with encryption.
The process takes into account dual-booting and, optionally, paranoid mode.
Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering.
Refer to the troubleshooting guide for some pointers.
In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login. (1)