Install Ubuntu 12.04 with encryption
Ubuntu is a popular linux distribution with lots of software available in libraries called repository’s. These repository’s contains lots of software for all kind of purposes, including disk encryption. The encryption software for Ubuntu can be configured during the installation, but that’s not possible with the standard desktop installation CD. The standard Ubuntu desktop CD offers you to encrypt your home directory, but not the whole system including swap space. Ubuntu also delivers an alternate installation CD with text mode install. This alternative CD contains an enhanced partition program which allows you to create, modify and delete encrypted and LVM volumes. You can download the alternate installation CD here.
This Ubuntu guide assumes that you already have installed Windows as written before.
Starting text-mode installation from Alternate CD
Start your computer from the Ubuntu alternate install CD and follow the instructions below. I will skip some general installation steps but will explain the steps that matters. One thing about the text based installer, it has a very old school interface, use the TAB and arrow keys to navigate through the interface. Click the images for a larger view.
Ubuntu offers you to encrypt your home directory. This is not what we want, we go for full system encryption including the swap space. Home directory encryption can be useful when using Ubuntu with multiple users, but not when traveling around with a laptop that has only one owner. So choose ‘No’ for home directory encryption.
Create boot partition
During the setup of Windows 7 we have deleted a 100 Mb partition which was otherwise used as Windows system partition. We’re gonna re-use that space for the boot partition. 100 MB is a bit small, but enough for at least two kernel versions. If you don’t have that 100 MB of free space, then you can create a new partition and choose a larger size, for about 500 MB. Note that the boot partition is not encrypted and therefor not included in the encrypted volume.
An overview of the partition layout appears. In this example I’m using the 100 MB of space left from the Windows 7 setup procedure. If you don’t have that 100 MB of free space, select the main free space to continue. Later on, you can choose to use only a part of it as boot partition.
Select the size of the boot partition. The wizard suggests the full partition size. In case of the 100 MB Partition, that’s fine. Otherwise, if you selected the main free space use about 500 MB, certainly not more.
Select primary to make a primary boot partition. When creating a new partition out of a larger free space you get a question if you want the new partition at the start or the end of the available space. If that’s the case choose ‘Beginning’.
Create encrypted volume
We will now create an encrypted volume. During this phase you have to set a password for the encrypted volume. Let me remind you that this password has nothing to do with the password for your user account or root account. It is a password exclusively used for encrypting the volume. Also you can choose if you will not only encrypt new data written in the encrypted volume, but also overwrite data left by usage in the past.
The volume will be encrypted with the given options. Note that default only the newly written information will be encrypted. If you want to remove all remaining data left from previous installations change the ‘Erase data’ option to ‘yes’. Later on, it will ask you to confirm the deletion of all previous data. The cleaning process can take a long time. In this example I will leave ‘Erase data’ to ‘no’ and select ‘Done setting up the partition’ when finished.
Create LVM group inside the encrypted volume
Inside the encrypted volume we’re gonna create a LVM volume. The LVM is used for the swap partition and root filesystem.
Create LVM logical volumes for swap and root filesystem inside LVM group
We have just created the volume group. Now we’re gonna create the logical volumes for the swap and root filesystem.
Select the size of the volume for swap purposes. For swap, it is recommended to use minimal the amount of RAM in your system. Better is twice your amount of RAM. Do not use the suggested amount, because that is the full volume group capacity.
Create swap and root filesystem
The logical volumes for the swap and root filesystem are created. Now we need to configure them.
Change the ‘Use as’ to ‘Ext4 journaling file system’ and change the ‘Mount point’ to ‘/’ (root). Now it will mounted be as root when finished the installation. Select ‘Done setting up the partition’ when finished.
All partitioning should now be done. Let’s check if everything is fine now and confirm the remaining changes.
Let’s start with the Physical device, called ‘SCSI1’. It has three partitions. The first (#2) is the 100 MB boot partition. Mountpoint is ‘/boot’. Note that this partition is not encrypted because it’s outside of any encrypted volume. The second partition (#1) is not used by the Linux installation, and that’s because it’s the Windows partition. It is encrypted with Truecrypt, but that’s not shown here. The last partition on the physical disk is #5. That partition is encrypted and called ‘sda5_crypt’.
Above of the ‘SCSI1’ volume is the encrypted volume ‘sda5_crypt’. The encrypted volume contains a 21.5 GB lvm volume.
At the top you will find two LVM’s inside the ‘LVMGroup’. First you will find the 19.4 GB partition mounted as ‘/’ (root). Below you will find the 2 GB swap space that’s also inside the LVM.
If all looks fine to you, click ‘Finish partitioning and write changes to disk’.
Install grub inside partition
After a while, when most files are copied to your new system, the installer will ask you some information about the installation of bootloader Grub. Usually Grub is installed in the master boot record. We don’t want this because Truecrypt has its bootloader there. The screenshots below will tell you how to install the Grub bootloader inside the boot partition.
Choose ‘No’ when the setup ask you to install in the master boot record. When you choose ‘Yes’ accidentally you have to restore the Truecrypt bootloader by using the rescue CD that you created during the encryption setup and reinstall Grub inside the boot partition. See the Tips and troubleshooting part if you selected ‘Yes’ here.
The installer asks you where to install the bootloader. In my case it is the boot partition ‘/dev/sda2’. If you don’t know which devicename belongs to the boot partition, read the next step (Do not hit continue yet…).
In case you didn’t know the devicename of the boot partition follow these instructions. Press ctrl+alt+F2 to start a new terminal. Hit enter to activate this windows. Now type ‘mount | grep boot’ and read which device was mounted as the target boot directory. In my case it is ‘/dev/sda2’. Return to the setup screen with ctrl+alt+F1 and continue with the previous step. Enter the devicename and hit ‘Continue’.
The setup process continues. When finished it will restart your system.
Ubuntu with encryption ready for use
Installation of Ubuntu is now finished. When rebooting you see the Truecrypt bootloader first.
When the ‘Esc’ key is pressed it wil continue booting. The loader finds that partition 2 is bootable and starts the bootloader inside that partition. This screen will only appear for a very short time and doesn’t need any user input.
Grub has started and activated the kernel and scripts inside the boot partition. The system requests the password for the encrypted volume. This is not the password for your user account. Ubuntu continues the booting process when entering the password.
Note: This screen looks nicer when the graphical capabilities are better then mine.
The Ubuntu login-screen appears. This password is related to your user account. Ubuntu is now ready and safe for use! Optionally, you can enable automatic login in the ‘System Settings’, ‘User Accounts’ window to disable this authentication step.