1. Purpose


April 2017:

  • These instructions are "beta", which means that some errors may be present.


This document is for you if you wish to use full system encryption with all of these features:

  • LUKS
  • LVM
  • encrypted Boot
  • manual partitioning

and optionally any of these features:

  • dual-booting
  • encrypted hibernation
  • hybrid suspend
  • multi-disk installation

1.1. Advanced features

The following advanced features are possible, but are not covered in this process.

Snapshot
Take a snapshot of your Ubuntu system, e.g. before doing a risky upgrade, and easily roll back if required.

Requires a good knowledge of LVM, and strongly recommended to have a separate partition for /home.

Boot from external USB

Put the two small unencrypted parts of the boot system — the bootloader and the ESP (EFI System Partition) — onto a USB stick, so that the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.

Computer without UEFI
This process only works on computers with UEFI.
On a computer without UEFI, a modified process will work, but the Boot partition cannot be encrypted. However, you can boot from an external USB to mitigate this problem (see the previous point).

If you don't know whether or not your computer uses UEFI, see Basics of EFI.

2. Advanced users and newcomers to Ubuntu

These instructions have tried to assume the least amount of prior knowledge of Linux. Seasoned users will fly through them and will find some of the instructions blatantly obvious, while newcomers will need to read the various sections carefully.

3. Known bugs

Please be sure to read and understand both the known bugs and the caveats before deciding to proceed.

4. Paranoid mode

Encryption can be taken a little further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.

Where appropriate, notes will be made for this in the instructions. Although, thinking about it, you are probably at higher risk from social engineering and online hacking.

5. Caveats

There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all. (Further limitations are described in Known Bugs and the Background.)

5.1. Software compatibility

  • These instructions are not officially supported by Canonical, and so you use them at your own risk.
  • This process has been tested on:
  • This is unlikely to work on versions prior to 16.04. It will probably will work on later versions, at least for several years; but I'm hoping the Ubuntu installer will have been fixed by then.
  • All Ubuntu-based distributions (starting from 16.04) are likely to work, although this is not guaranteed.
  • At the time of writing, I have been told that Grub and Initramfs do not support ZFS. So, if you intend to use ZFS, please try a workaround (scroll down to "If using ZFS instead of btrfs").

5.2. Data loss

  • Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:

  • Take a full backup of all of your data before you start the process.

  • If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.

5.3. Hardware compatibility

  • These instructions are tailored for computers with UEFI as noted in Advanced features above.

  • Therefore, this is tailored for 64-bit computers. These instructions probably will work on 32-bit computers with some important modifications, but I cannot promise this. Also see the next point.
  • Encrypting everything is CPU-intensive. Modern computers tend to have fast multiple 64-bit CPUs and dedicated AES (encryption) modules, so on a modern computer, this poses no problem at all. If you are using this process on an older machine, especially 32-bit, you might notice decreased speed.
  • Hardware can be quite different, and sometimes an OEM does not properly adhere to the standards. This means that the installation cannot be guaranteed to work on your specific hardware, sorry.
  • These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work with the right modifications, but I cannot promise this.
  • The process enables hibernation and hybrid suspend. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.

5.4. Encryption

  • A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer, including after hibernation. This is only for access to Ubuntu; you won't need it for access to other installed systems (e.g. Windows).

    • An unfortunate and inconvenient quirk is that if you mistype the system passphrase, you have to reboot your computer to try again. I do not know a way around this.
    • If you share your computer with anyone else, they need to know the system passphrase — but only if they use Ubuntu. You can give each user (up to seven users including you) a unique passphrase. This is included in the instructions.

    • You (and any other user) need a strong system passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's one pretty good method for paranoid mode.

  • Having a strong system passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:

    • You cannot lock the computer when it is unattended and powered on.
    • Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.

    Remember that the system passphrase and the password for your account are not the same. One lets you access Ubuntu in the first place, whereas the other lets you log into Ubuntu after you have accessed your computer.1

6. Document Structure

Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and then only for full-disk encryption, this installation process is rather more complicated than we might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.

6.1. Background

The Background provides summary of the options; features; benefits and downsides; and purpose and limitations.

It contains important notes and further caveats, so please read the Background before proceeding.

6.2. The basics

Understanding several concepts is necessary to successfully complete the installation.

If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise you might be confused later.

A seasoned user can skip each section where you are already familiar and experienced with the topic.

6.3. High-level overview

Complete the high-level overview before you proceed. It explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.

6.4. Detailed process

The detailed process shows exactly how to prepare your system and install Ubuntu with encryption.

The process takes into account dual-booting and, optionally, paranoid mode.

6.5. Troubleshooting

Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering.

Refer to the troubleshooting guide for some pointers.


  1. In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login. (1)

ManualFullSystemEncryption (last edited 2017-05-26 13:54:38 by paddy-landau)