Dual Boot Windows 10 Ubuntu Full Disk Encryption
Maryanna Vernia
I installed Windows 10 and enabled BitLocker.I started the Ubuntu installation, and, when asking to install side-by-side with Windows, I received a prompt that sent me to here: -installation-on-computers-running-windows-and-bitlocker-turned-on/15338/5
When I installed Windows, I intentionally left an unallocated partition at the end of the disk.Now I'm thinking to just "manually" tell the installer to install Ubuntu on it, but I'm not sure if I'll get the dual-boot screen this way.
My last concern is about encryption at the Ubuntu side. Will Ubuntu be able to encrypt only its own partition, and thus not affect my Windows installation, with the tool that comes with it? If not - perhaps someone can suggest an alternative tool that would allow that? (a commercial tool is also acceptable).
I have done a similar setup with Windows 10 and Ubuntu 18.04, following the instructions provided by Paddy Landau ( ). Mike Kasberg provides similar instructions for Ubuntu 20.04 ( -boot-ubuntu-and-windows-with-encryption.html).
Having done this, when you boot the machine, you'll be taken to the grub menu. If you choose Ubuntu, you'll be prompted for the disc-encryption passphrase. If you're not using BitLocker on your Windows partition, then you can alternatively boot into Windows from the grub menu. If you are using BitLocker, then you wont be able to go via grub - instead you'll need to go directly into booting Windows from the BIOS, typcially by pressing F12 when you start up.
When switching between the two operating systems, you must ensure you do a proper shut down. If you just do a hibernate (from Ubuntu), and then boot into Windows, you will find that the boot partition gets corrupted. Beware! The corruption can be fixed, but requires booting Ubuntu from a USB stick, and entering a dozen or so commands.
If you have Windows 10 already installed, you may run into problems when attempting to shrink the partition. The Windows 10 Disk Management tool is liable to tell you there are "unmovable files", and it may limit how much you can shrink the partition. If you want to shrink the partition more than this, you need to disable System Protection. Then you'll find you can shrink the partition some more. You may need to do it in several small steps. When you're done, re-enable System Protection.
This post is a guide to setup disk encryption on Ubuntu 20.04 using LUKS2, while still being able to dual boot to Windows 10. Unlike most guides out there, I intend to keep the setup as simple as possible:
I have used file based encryption via eCryptfs on my home folder for a few months. A bit of setup was needed since I did not encrypt during installation, but it was tolerably simple and it had so far worked really well. I opted to switch to disk based encryption mainly because Ubuntu team does not intend to support file based encryption moving forward. Disk based encryption is also more performant when dealing with many files (see performance comparison on phoronix.com).
Now although it sounds good to switch in theory, the setup is a big pain, especially for a GUI lover like me. Ubuntu and Pop OS offers disk based encryption out of the box, but the moment you need to customise your disk setup (so as not to wipe your Windows installation), the convenience is thrown out the window. I went through Full_Disk_Encryption_Howto_2019 from Ubuntu Community Wiki and Encrypting disks on Ubuntu 19.04 from Isuru Perera and found it too much work.
Encrypting my boot partition and putting decryption keys to root partition inside makes no sense to me. Even the default Ubuntu setup does not do this. Having said that, GRUB very recently supported LUKS2, in case you want to attempt to encrypt anyway.
Disclaimer: many things can go wrong when you customize your setup and fiddle with the terminal as root user. It is recommended to keep a backup of valuable data and do a few trail runs first.
Important: partition manager allows you to encrypt your partition as an option when you format. Do not enable this. As of this writing it defaults to LUKS1; we want LUKS2.
This will create a new device /dev/mapper/rootfs where we can read and write freely, while the encryption and decryption is performed underneath. It is currently unformatted space, so we need to format as ext4:
Now it gets a little confusing when it comes to the encrypted partition. For some reason, the Ubuntu installer displays it like it is a separate device from my hard disk. So select the partition under /dev/mapper/rootfs, which is also called /dev/mapper/rootfs, and set as follows:
If you restart your Ubuntu installation now, your kernel would not be able to mount your root partition because it is encrypted. To circumvent this, you need to tell your kernel that the hard disk is encrypted. This is where crypttab comes in.
Before we can setup crypttab for our fresh installation, we need to first understand that we are currently in the testing image. Any config changes we do in /etc/ therefore affects not our fresh installation (installed in /target/), but the testing image.
A fairly common issue you can expect is that Windows 10 time will be out of sync. You can fix it temporarily in Windows 10 and toggling setting the time automatically, but a permanent fix is to execute this in Ubuntu:
Though it is easy to change your login password from your window manager, you need to use the command line to change your LUKS2 password (this process does not re-encrypt your partition, so do not hesitate to change the passphrase on a whim):
> Encrypting my boot partition and putting decryption keys to root partition inside makes no sense to me. Even the default Ubuntu setup does not do this. Having said that, GRUB very recently supported LUKS2, in case you want to attempt to encrypt anyway.
This guide shows how to install Ubuntu in a dual boot configuration with encryption and LVM. The method was tested only on Ubuntu 21.10. The behaviour of the installer in earlier or later versions or other flavours of Ubuntu may be different and not work.
Now reboot. You should be prompted for your passphrase to unlock the disk and then boot into your shiny new Ubuntu system with LUKS2 encryption and LVM. Remember to save your recovery key somewhere safe.
The GUI installer offers an option to install Ubuntu with encryption and LVM if the entire disk is used but it does not provide this capability alongside existing installations. However, by using a few simple terminal commands alongside the GUI installer it is possible to overcome this and install Ubuntu on an encrypted partition with LVM independently of any other installations on the disk.
In my opinion the downvotes to this question are pretty much unjustified as finally I easily achieved what I have asked for. First of all full drive encryption with veracrypt is possible ( @securitystreak/veracrypt-full-disk-drive-encryption-fde-157eacbf0b61).
Second thing is that partition encryption with multiple OSes on the same disk as well as full drive encryption with different hard drives and multiple OSes works very well. This is how to setup for the first case:
Reboot into Linux and modify your Grub config.You will see that the Windows entry is pointing to the Windows EFI loader (likely \EFI\Microsoft\Boot\bootmgfw.efi). You should modify it to point to the VeraCrypt loader again. As reported by EasyUEFI (step 2), in my case, it is \EFI\VeraCrypt\DcsBoot.efi.
However this is not correct: Suspend Bitlocker before starting the Ubuntu installation and you will avoid the lengthy procedure of decrypting and re-encrypting the disk (which spoils your SSD/NVMe as well).
The EFI partition that comes with preinstalled Windows is rather small. Users who know the caveats of creating their own partition are smart enough to do it without this mentioned directly. Users who know a bit about partitioning but do not understand the full consequences should no tbe urged to forge ahead. Also, adding warnings about this-and-that for the borderline users does not belong here. It is better leave the instructions as simple as possible.
my experience doing this on one drive is that Windows tends to just take over the boot manager when you alter your device encryption configuration (as in, decrypt device then install ubuntu on dual boot then re-encrypt which requires you to set BIOS to load the windows boot manager first) - windows just goes ahead and removes your boot manager when you do that
I have just upgraded win10 to win11 and had the same issue as one commenter, that bitlocker was not activated but still blocking the install from a USB stick. I activated it, deactivated, and had to resart the computer twice.
THen I checked in Disk Manager and it was indeed no longer encrypted by BitLocker. I could then restart for the 5th time or so, and the install Ubuntu 20.0 from USB stick worked.
I have a system with Ubuntu, Windows 7, Windows XP, and I would like to install Red Hat. I use grub 2 boot loader. What software would support this set up, for full drive encryption with pre-boot authentication? There is TrueCrypt for Windows pre-boot authentication, but will it play nice with grub 2? What other disk encryption software could I use for Linux side?
Before you read all this, remember that this technique is at least 5 years old -- it's probably much easier by now (see the other answers). (But it sure was fun to figure this all out.)
I did this a few years ago with Fedora 10 and Windows Vista to demonstrate how all the intricacies fit together. It was a bit involved (mostly because Windows Vista doesn't "play well with others" and doesn't like being installed second), but in the end I found a method that suited me. Your case is more complex because you have 3 existing OS'es and you want to add another onto your drive.
Because I've never attempted this on the magnitude of 4 operating systems, I'll leave most of it up to you (the actual re-partitioning and such) and will try to take the general security principles from my experience and apply them to your situation. Also note that in my case, I started from scratch on a drive I had erased. This was more an experiment than an expert expos... so take a few things with a grain of "salt" (no pun intended) and don't hold me responsible. :)
4a15465005