Linux distributions have done a great job to get additional protection by bringing full disk encryption and being the market leader.

Ubuntu also is bundled with numerous features and disk encryption is one of them. Enabling full disk encryption is crucial for those who want to secure their private data at any cost even if your device is stolen as it requires you to enter the passcode at each boot.

The full disk encryption can only be enabled while installing the Operating System as the full disk encryption will be applied to each partition of your drive which also includes the boot and swap partition. And this is the reason why we are required to enable it from the beginning of the installation.

This step-by-step tutorial will guide you on how you can enable full disk encryption on Ubuntu 22.04 and for that purpose, we are going to utilize the LVM (Logical Volume Management) and LUKS (for encryption purposes).

Prerequisites:

• A bootable USB drive.
• Internet connection with enough bandwidth to download large files.
• UEFI enabled motherboard.

But before jumping to the process, let’s have a brief idea about the pros and cons of Disk Encryption.

Pros and Cons of Disk Encryption

Each feature is bundled with its pros and cons and this is also applicable in the case of disk encryption. So it is always a good idea to know what to expect and what not from the steps which are going to make.

Pros:

• Protects your sensitive data from theft – Yes, this is the most exciting feature of disk encryption as your private data will always be secured even if your system is stolen. This point is more appropriate in the case of mobile devices such as Laptops which has more chances of being stolen.
• Saves your data from surveillance – The chances of your system being hacked are minimal on Linux but can be done if the user is not smart enough to protect himself from fishy scams. Even if your computer is under attack, the hacker won’t be able to access your data which is another proof enabling it.

Cons:

• Impact on Performance – This can be only applied to the systems with few resources as the modern computer can handle the encryption without any issue but still you will find a little slower read and write speeds while usage.

According to us, full disk encryption is always the wise choice as it offers plenty of pros while it is easy to overcome the cons with a few more resources. So if you are ok with a little performance drop for better security, let’s start the encryption process.

Encrypting Entire Disk in Ubuntu 22.04

This is beginner friendly guide and it is supposed to guide you through each step meanwhile advanced users can still benefit from it.

Step 1: Download Ubuntu 22.04 ISO

Visit the official Ubuntu download page and choose the Ubuntu 22.04 LTS version, which will automatically start downloading it.

Step 2: Create a Bootable Ubuntu USB Drive

To flash the Ubuntu ISO image to the USB drive, we are going to use Balena Etcher, which will automatically detect the OS that you are currently using. Once you are done installing Balena Etcher, install it on your system.

To burn the ISO file, open balenaEtcher and select the “Flash from file” option and choose the recently downloaded Ubuntu 22.04 ISO file.

Next, choose the drive on which we want to flash the ISO file. Choose the “Select target” option and it will list all the mounted drives on your system. From the available options, choose the USB or DVD drive.

Once we have successfully flashed our USB drive, it’s time to boot from the USB drive. To boot from USB, reboot your system and use F10, F2, F12, F1, or DEL while your system boots up. From there, you have to choose your USB as your boot drive.

Step 4: Start Ubuntu Installation Using USB Drive

Once we are booted through USB, we can proceed to the partitioning and encryption part. This might overwhelm some new users as it might look complex but you just have to follow each step and you will get your system encrypted in no time.

NOTE: Some commands are different for Nvme SSD users so please read the instruction before applying the command as we have separated them when required.

Once you boot into Ubuntu, you will get two options: Try Ubuntu and Install Ubuntu. As we are going to encrypt partitions, we are required to use a live environment. So select the first option labeled “Try Ubuntu”.

Click on Activities situated at the top left and type search for Terminal. Hit Enter on the first result and it will open Terminal for us. Next, switch to the root user, as all of the commands which we are going to use are going to require administrative privileges.

$ sudo -i

As the upcoming commands will highly rely on BASH, let’s switch from our default shell to BASH by the following command:

# bash

Next, identify the installation target, we are required to list all the mounted storage devices by the following command:

# lsblk

You can easily identify the target partition by size and in most cases, it will be named as sda and vda. In my case, it’s sda with the size of 20GB.

Allocate Variable Names to the Target Device (for HDD and SATA SSDs)

This section is only applicable for you if you are using HDD for SATA SSDs. So if you are someone equipped with Nvme SSD, allocating variable names is explained in the below step.

As my target device is named sda, I’m required to use the following command:

# export DEV="/dev/sda"

Allocate Variable Names to the Target Device (for Nvme SSDs Only)

If you are someone who is using Nvme, the naming scheme for your target device will be as /dev/nvme${CONTROLLER}n${NAMESPACE}p${PARTITION} so if there is only one partition, it would likely have a similar name to given command:

# export DEV="/dev/nvme0n1"

Now, let’s configure the variable for the encrypted device mapper by the following command:

# export DM="${DEV##*/}"

Each Nvme device will need ‘p’ in suffix so use given commands to add suffix:

# export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
# export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )"

Step 5: Create a New GPT Partition

To create a new GPT partition table, we are going to utilize the sgdidk utility with the following command:

# sgdisk --print $DEV

Now we can safely remove all the data available but if you are installing this system alongside existing partitions, please avoid this step.

To format the data, utilize the following command:

# sgdisk --zap-all $DEV

Step 6: Create a New Partition for Installation

We are going to allocate a 2MB partition for BIOS-mode GRUB’s core image, 768MB boot partition, and 128MB for the EFI file system, and the remaining space will be allocated to the user where you can store your desired data.

Use the given commands one by one to partition your drive:

# sgdisk --new=1:0:+768M $DEV
# sgdisk --new=2:0:+2M $DEV
# sgdisk --new=3:0:+128M $DEV
# sgdisk --new=5:0:0 $DEV
# sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV

To change the name of partitions, use the given commands:

# sgdisk --change-name=1:/boot --change-name=2:GRUB --change-name=3:EFI-SP --change-name=5:rootfs $DEV
# sgdisk --hybrid 1:2:3 $DEV

To list recently created partitions, use the following command:

# sgdisk --print $DEV

Step 7: Encrypting Boot and OS Partition

For HDD and SATA SSDs Only

Let’s start our encryption process by encrypting the boot partition. You are required to type YES in all caps when it asks for your permission.

# cryptsetup luksFormat --type=luks1 ${DEV}1

Now, let’s encrypt the OS partition by the following command:

# cryptsetup luksFormat --type=luks1 ${DEV}5

For further installation, we must unlock the encrypted partitions by using the following commands to unlock the boot and OS partitions.

# cryptsetup open ${DEV}1 LUKS_BOOT
# cryptsetup open ${DEV}5 ${DM}5_crypt

For Nvme SSDs Only

This step is only applicable if your system is equipped with Nvme SSD. Use the following commands to encrypt the boot and OS partitions:

# cryptsetup luksFormat --type=luks1 ${DEVP}1
# cryptsetup luksFormat --type=luks1 ${DEVP}5

Now, let’s unlock the encrypted partitions as it is necessary for us to process further in installation.

# cryptsetup open ${DEVP}1 LUKS_BOOT
# cryptsetup open ${DEVP}5 ${DM}5_crypt

Step 8: Format Partitions

This is one of the most crucial steps as if not done, the installer will disable the ability to write file-system. Use the following command to start formatting:

# mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT

Format EFI-SP partition (for HDD and SATA SSDs Only)

If your system is equipped with HDD and SATA SSD, use the following command to format it in FAT16:

# mkfs.vfat -F 16 -n EFI-SP ${DEV}3

Format EFI-SP partition (for Nvme SSDs Only)

So if your system is using Nvme SSD, you can easily format the 3rd partition using the following command:

# mkfs.vfat -F 16 -n EFI-SP ${DEVP}3

Step 9: Create Logical Volume Groups

LVM is one of those functions which I admire the most. Even if you don’t use LVM features, enabling it won’t harm your system and in the future, if you need any feature that LVM provides, you can use them without any issues.

Here, we are going to allocate 4GB to the swap partition which will use disk space when the system runs out of memory. We are also allocating 80% of free space to root so the user can utilize his disk space to max potential.

Of course, you can change it according to your use cases and even modify it in the future. Use the given commands one by one and your system will be LVM ready in no time:

# pvcreate /dev/mapper/${DM}5_crypt
# vgcreate ubuntu--vg /dev/mapper/${DM}5_crypt
# lvcreate -L 4G -n swap_1 ubuntu—vg
# lvcreate -l 80%FREE -n root ubuntu--vg

Step 10: Start Ubuntu Installer

It’s time to start the Ubuntu installer. Just minimize the installer and you will find the installer on the home screen.

Whether you go with normal installation or minimal, it is up to you but some options are required to be selected to get you a better experience, and that are installing updates and third-party drivers and codecs which will surely improve your user experience and save you time after installation.

In the section of installation type, select the option labeled “Something else” which will help us to manage partitions that we have just created manually.

Here, you will find multiple partitions with the same name. You can easily identify the original one as the installer will mention the taken size. Now, let’s start with LUKS_BOOT.

Select LUKS_BOOT and click on the change button.

Now, select the Ext4 journaling file system in the first option. Enable Format the partition option and in mount point, select /boot.

Similarly, select ubuntu–vg-root and click on the change button. Here, select the Ext4 journaling file system in the first option. Enable Format the partition option and in the last one, choose the “/” option.

Now, select ubuntu–vg-swap_1 and click on the options button. Select the swap area option and that’s it.

Finalize the changes and choose your current location.

After creating the user, don’t click on the install now button as we are going to apply some commands just after creating a new user. Create the user with a strong password.

Step 11: Enable Encryption in GRUB

Just after you created a user, open your terminal and use the given commands as we are going to enable encryption on GRUB before installation starts:

# while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg

Once the installation is done, click on continue testing as we are going to some changes which still require us to use a bootable drive.

Step 12: Ubuntu Post-Installation Configuration

In this section, we are going to mount drives, install required packages, and make some necessary changes to make encryption work. So open your terminal and follow the given steps:

Create Chroot-Environment

Chroot is used to access the partitions on which we have just installed Ubuntu. Use the given commands one of which involves mounting drive and creation of chroot-environment.

# mount /dev/mapper/ubuntu----vg-root /target
# for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
# chroot /target
# mount -a

Install Cryptsetup-initramfs Package

Cryptsetup package will be responsible to unlock encrypted files at boot time and we can easily install it by given command:

# apt install -y cryptsetup-initramfs

Add Key Files and Supporting Scripts

The key file will be used to cross-check the passcode for decryption and it is saved at /boot/ which is also an encrypted partition. Use the given command to proceed further:

# echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook 
# echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf 

Create a Key File and Add it to LUKS

We are going to create a key file of 512 bytes, make it secure, and also are going to add encrypted volumes. You can achieve that by utilizing the given commands:

# mkdir /etc/luks
# dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=512 count=1
# chmod u=rx,go-rwx /etc/luks
# chmod u=r,go-rwx /etc/luks/boot_os.keyfile

Adding Keys to boot_os.file and Crypttab (for HDD and SATA SSDs Only)

This is supposed to be one of the last steps as we are pretty close to successfully encrypting our system. Use the following command to add keys at boot_os.key file.

# cryptsetup luksAddKey ${DEV}1 /etc/luks/boot_os.keyfile
# cryptsetup luksAddKey ${DEV}5 /etc/luks/boot_os.keyfile 

To add keys to crypttab, use the following command:

# echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEV}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# echo "${DM}5_crypt UUID=$(blkid -s UUID -o value ${DEV}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

Adding Keys to boot_os.file and Crypttab (for Nvme SSDs Only)

If you are using Nvme SSD, you can utilize the following command to add keys at boot_os.file:

# cryptsetup luksAddKey ${DEVP}1 /etc/luks/boot_os.keyfile
# cryptsetup luksAddKey ${DEVP}5 /etc/luks/boot_os.keyfile 

Similarly, to add keys in crypttab, use the following command:

# echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEVP}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# echo "${DM}5_crypt UUID=$(blkid -s UUID -o value ${DEVP}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

Update Initialramfs Files

Now let’s update initialramfs files as it will add unlocking scripts and key-file by the following command:

# update-initramfs -u -k all

Now, reboot your system and it will get you to the GRUB pass-phrase prompt to boot your system.

The main intention behind this guide was to make an easy-to-follow procedure where even beginner can secure their system by enabling full disk encryption in Ubuntu.