The Ubuntu 16.04 installer has the option to install full disk encryption using LVM if you are erasing everything on the hard drive. However, if you want to dual boot (use some of the hard drive for Windows, and the rest for Linux) the automated installer won’t allow you to automagically use full disk encryption.
You can still make it work, but have to do a lot of manual work using a terminal from the Live CD environment. Here is a log of what I had to do to get it working for me.
Use gparted to create an ext4 /boot partition (I used 400 MB in size).
Use gparted to create a “physical volume for encryption”
Open a terminal and use the following commands to set up the volume with LUKS encryption, and then create sub-volumes of swap and root. (The directions below assume your encrypted partiton is /dev/sda6, change that as needed.)
sudo cryptsetup luksFormat /dev/sda6
You will have to type YES and enter a passphrase twice to encrypt your disk.
sudo cryptsetup luksOpen /dev/sda6 crypt6
You will be asked to re-enter the passphrase above… crypt6 is just a name I picked, you can pick any unique name here instead…
Then we set up LVM inside the encrypted partition with the following commands. I used the name vgpool for my “volume group pool” but you could use any unique name.
sudo pvcreate /dev/mapper/crypt6
sudo vgpool /dev/mapper/crypt6
Then we create the swap partition inside (I used 3G for 3 gigs)
lvcreate -L 3G -n swap vgpool
I used the rest of the available space for the /root partition.
lvcreate -n root -l 100%FREE vgpool
Then I formatted both of them…
mkswap /dev/vgpool/swap
mkfs -t ext4 /dev/vgpool/root
At this point, I was able to go back into the Ubuntu installer and select
“Something else” for the formatting options and use the “change” option to mount the swap and root and boot partitions appropriately and proceed with the install.
You have to tell Linux to mount the encrypted filesystems upon bootup, so before you reboot for the first time at the end of the install, you need to tweak a few config files as follows:
Use the “sudo blkid” command to find the UUID’s of your physical partition used for encryption…
(my /dev/sda6 used for /dev/mapper/crypt6 was the UUID I needed to know…)
Add an /etc/crypttab file with an entry to unencrypt and mount the LVM.
crypt6 UUID=<myUUIDfoundAbove> none luks
(I verified that /dev/mapper/vgpool-root was being mounted as / and
/dev/mapper/vgpool-swap was being mounted as swap in the fstab file…
as well as the /boot partition.)
Then I had to do some fancy work to get my /dev/sda5 boot partition mounted under the /mnt/root/boot name, and then chmod into /mnt/root, making it my new /
and update the initramfs image. I also updated the grub install, which may or may not be strictly necessary…
sudo mkdir /mnt/root
sudo mount /dev/mapper/vgpool-root /mnt/root
sudo mount /dev/sda5 /mnt/root/boot
sudo mount –bind /dev /mnt/root/dev
sudo mount –bind /dev/pts /mnt/root/dev/pts
sudo mount –bind /proc /mnt/root/proc
sudo mount –bind /sys /mnt/root/sys
sudo mount –bind /run /mnt/root/run
sudo chroot /mnt/root
update-grub
grub-install /dev/sda
update-initramfs -u -k all
#check your work:
lsinitramfs /boot/initrd* | grep cryptsetup
After all of this work, I was able to reboot and the Linux system would prompt me for the full disk encryption pass-phrase and then boot normally.