Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Save luispabon/db2c9e5f6cc73bb37812a19a40e137bc to your computer and use it in GitHub Desktop.
Ubuntu + Windows 10 dualboot with LUKS encryption
  • Based on https://gist.github.com/mdziekon/221bdb597cf32b46c50ffab96dbec08a
  • Installation date: 16-08-2019
  • Additional notes based on my own experience
  • EFI boot
  • Ubuntu 19.04 -> 21.04
  • This should work on any computer. Only the RAID > AHCI change described below and the device name for the nvme ssd drive are specific to this laptop.
  • The process describes a completely fresh installation with complete repartitioning, however it should work fine when Windows is already installed (eg. brand new machine with Windows preinstalled) as long as Windows already boots with EFI.
  • The process was conducted on Dell's XPS 15 9560 (2017) with specs:
    • CPU: i7-7700HQ
    • Screen: 4K with Touch
    • RAM: 32 GB
    • Drive: 1TB nvme ssd
    • Windows 10 Pro license
    • BIOS version: 1.16.0
      • Suprisingly, Ubuntu's update manager supports BIOS updates out of the box (make sure you're connected to power then run sudo fwupdmgr refresh; sudo fwupdmgr update)
  • My installation did not require to disable TPM nor Secure Boot

Re-installation

If you're re-installing your system and have no need to re-shuffle your partitions, you can jump directly to 4.3.b (the luksOpen command). Just make sure you re-format all your partitions except for EFI (and perhaps /home, if like myself you have one).

1. Installation media

You'll need to boot first into a ubuntu installation disk (to use gparted to partition your drive), then boot into the windows installation media (to install windows) then back again the ubuntu media (to install ubuntu). So you're going to need to prep either 2 different installation medias (eg usb sticks or DVDs or whatever), or you'll need a second computer to keep overwritting the same usb stick.

  1. Create Windows installation USB stick
    • Download .ISO file from Microsoft's webpage
    • Create bootable USB using WoeUSB - do not use Startup Disk Creator utility or the Disks app, won't work for Windows installation media)
  2. Create Ubuntu installation USB stick
    • Download .ISO file from Ubuntu's webpage
    • Create bootable USB using "whatever" (gnome disks or Startup Disk Creator utility)
  3. Go to BIOS (F2) and switch from SSD's "RAID" to "AHCI" mode on some laptop models (like XPS 9560)

2. Partitioning

Important: There's currently no easy way to make grub work with an encrypted partition. Make sure /boot and /boot/EFI are their own partitions and left unencrypted.

  1. Boot into an ubuntu live cd session
  2. Open gparted
  3. Delete all partitions on disk
  4. Create GPT partition table: device > new partition table > choose GPT (this is required for EFI)
  5. Create the following:
    1. 550MiB FAT32 (label EFI - label is for our own benefit, doesn't actually mark this partition as EFI)
    2. 550MiB EXT4 (for Linux boot)
    3. Create your windows partitions as NTFS
    4. Leave enough unallocated space for Ubuntu. Don't create a partition here yet - Windows needs to automatically create an additional 16MiB partition during installation. Dunno what it is for tbh.
  6. Apply changes
  7. Right click on the FAT32 partition you created for EFI partition above > manage flags. Set esp (boot might auto-check itself too). This will mark the partition to use as EFI by both Windows and Ubuntu installations. You might need to apply changes again.

3. Install Windows

  1. Boot from the windows usb pendrive
  2. Install Windows on whatever partition you created earlier
  3. Windows is done at this point - you could go in and setup windows (encryption, drivers, etc) but I'd recommend to set up ubuntu first - the process, if done wrong, can potentially bork your set up and you'll need to start again.

4. Install Ubuntu

  1. Boot into ubuntu live cd session

  2. Open gparted, create a single ext4 partition with unallocated space. This will be for lvm/luks. The filesystem does not matter, we simply need to create a partition here so that it's allocated a device node and shows in /dev).

  3. Create LUKS container on this partition (assuming the partition device is /dev/nvme0n1p5):

    # Note luksFormat and luksOpen are case sensitive
    ~ sudo cryptsetup luksFormat /dev/nvme0n1p5
    ~ sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive
    
    # Optional, rewrite the whole of cryptdrive with crap to ensure no data from before partitioning remains. Took 2h on my 652 GiB partition on an nvme drive
    ~ sudo dd if=/dev/zero of=/dev/mapper/cryptdrive bs=16M
  4. Create LVM physical volume, a volume group & logical volumes:

    • Volumes are sized as follows (example, you should create as many partitions as you need):
      • OS drive: 60GB
      • Swap: 16GB
      • Home: rest
    • Commands (add extra lvcreate steps if you have more partitions):
    ~ sudo pvcreate /dev/mapper/cryptdrive
    ~ sudo vgcreate vglinux /dev/mapper/cryptdrive
    ~ sudo lvcreate -n root -L 60g vglinux
    ~ sudo lvcreate -n swap -L 16g vglinux
    ~ sudo lvcreate -n home -l 100%FREE vglinux
  5. Start the installation process using GUI:

    • Connect to WiFi network
    • When asked what to do with the disk, pick the option that allows you to manually repartition stuff (IIRC it was labelled Something else on 19.04 installer):
      • Pick /dev/mapper/vglinux-root as ext4 FS & mount it to /
      • Pick /dev/mapper/vglinux-home as ext4 FS & mount it to /home
      • Pick /dev/mapper/vglinux-swap as swap
      • Do the same as above if you have extra partitions
      • Pick /dev/nvme0n1p2 (created on step 2.5.1) as ext4 FS & mount it to /boot
        • Without doing this, installation will fail when configuring GRUB
      • Pick "boot drive" (the select list at the bottom, this is where GRUB goes) and assign it to /dev/nvme0n1p2 or /dev/nvem0n1
    • Proceed with the installation
  6. After GUI installation completes, stay within the Live USB environment

  7. Check the UUID of the LUKS drive:

    • sudo blkid /dev/nvme0n1p5
    • Example output:
      • /dev/nvme0n1p5: UUID="abcdefgh-1234-5678-9012-abcdefghijklm" TYPE="crypto_LUKS"
  8. Mount root & boot drives and chroot into the main mount:

    ~ sudo mount /dev/mapper/vglinux-root /mnt
    ~ sudo mount /dev/nvme0n1p2 /mnt/boot
    ~ sudo mount --bind /dev /mnt/dev
    ~ sudo chroot /mnt
    ~ mount -t proc proc /proc
    ~ mount -t sysfs sys /sys
    ~ mount -t devpts devpts /dev/pts
  9. In chroot env, configure crypttab allowing to boot Ubuntu with Encryption unlocker

    • sudo nano /etc/crypttab:
      # <target name> <source device> <key file> <options>
      # options used:
      #     luks    - specifies that this is a LUKS encrypted device
      #     tries=0 - allows to re-enter password unlimited number of times
      #     discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab")
      #     loud    - display all warnings
      cryptdrive UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,tries=0,discard,loud
      
    • update-initramfs -k all -c
  10. Reboot into Ubuntu

5. Ubuntu Tweaks for XPS 9560

  1. XPS 9560 doesn't really need any workarounds or acpi boot options anymore with Ubuntu 19.04. Have a look https://github.com/stockmind/dell-xps-9560-ubuntu-respin if there's something that doesn't work. No need to download any firmware anymore for the killer wifi (always worked fine for me)
  2. Install nvidia drivers (latest available in 19.04)
  3. Undervolt? https://github.com/georgewhewell/undervolt I have a systemd service to run undervolt.py --core -125 --cache -125 --gpu -100, helps a little with power consumption and temps, especially under heavy load (around 8-10 deg C).

6. Reinstall Ubuntu

If you need to reinstall ubuntu, you should be able to jump to #4 directly. If you aren't changing your partition layout, you can go straight to #4.4 (install ubuntu), but don't forget to run sudo cryptsetup luksOpen /dev/nvme0n1p5 cryptdrive to mount the encrypted partition. If in doubt, just start from #4 and recreate your crypt drive.

Additional notes

  • Ubuntu (GRUB) is the default boot option, both Ubuntu and Windows should be there
  • Additionally, you can bring up the EFI boot screen pressing F12 as soon as you turn on the laptop
@luispabon
Copy link
Author

I get the same message during boot if I remove the splash window. I reckon it might be hanging on something else. Are you by any chance in Ubuntu 20.10 and hooked up to a thunderbolt dock?

@ariel-y
Copy link

ariel-y commented Nov 13, 2020

Not sure what are you referring to in "the splash window". The boot sequence enters ash shell.
I am in Ubuntu 20.04, but not hooked to any dock...

@luispabon
Copy link
Author

luispabon commented Nov 13, 2020

Ah just checking. 20.10 has an issue whereby if you're connected to a thunderbolt during boot it will just hang forever before the cryptsetup password prompt.

The splash window is the Dell logo you get at boot plus a spinner and the Ubuntu logo at the bottom.

So you're in ash shell? So you did boot up I imagine but it's failing to boot GDM perhaps?

Also, you did not encrypt /boot did you?

@ariel-y
Copy link

ariel-y commented Nov 13, 2020

Thanks Luis,
For the record - I'm running a Lenovo t490, not Dell, but I've seen very similar instructions targeted to Lenovo - but this one brought as closest as possible to the final goal - at least the Ubuntu setup ran smoothly.
I believe that the Lenovo counterpart of the splash screen you've mentioned is enabled I do see the Lenovo logo and Ubuntu's (progress indicator) logo at the bottom.
Don't think its a GDM problem, probably something earlier - as the message implied Initramfs
And once again, for the record the system is 20.04 , not 20.10...

@luispabon
Copy link
Author

luispabon commented Nov 13, 2020

No worries. I could not tell you for sure as of course it's a different laptop - your failures to boot and mine would probably be for very different reasons. Does it boot on an unencrypted set up?

Does it have a nvidia discrete gpu? Did you choose to download proprietary drivers during installation? If not, try reinstalling doing so, then use prime-select to switch to intel graphics. Otherwise it might be using your dgpu with the nouveau drivers and they're a common cause for boot failures.

If you need to reinstall, you can skip pretty much everything until sudo cryptsetup luksOpen.

As I mentioned earlier I also have the initramfs error message and my setup seems to work alright. I can only see it if I disable the splash screen. You can add nosplash as a boot parameter (removing splash) in case the boot sequence is choking on displayin the splash screen.

@ariel-y
Copy link

ariel-y commented Nov 13, 2020

Thanks once again for the prompt resposes - I'll have to go offline for a while though...
As per you notes:

  • Since the machine came with preinstalled Windows with BitLocker enabled, didn't try an unencrypted setup (the whole point is that I don't want to disable BitLocker), although just as an experiment I will try to follow the instructions without encrypting the Ubuntu physical volume (the /dev/nvme0n1p5 reference in the gist) and see what happens...
  • It does not have a discrete gpu
  • I chose to download proprietary drivers, and indeed ofter setup I was prompted to enroll MOK and pass this step successfully.

@luispabon
Copy link
Author

It's not clear by your message, but for this to work /boot must be on its own partition (ext4) and it must be unencrypted. But in any case do make sure ubuntu actually boots at all on your laptop in an unencrypted setup, if nothing else to discard encryption as the cause for your laptop not booting.

@ariel-y
Copy link

ariel-y commented Nov 16, 2020

Yep. The /boot mount point was the issue, somehow I missed this step.
Many thanks!

@luispabon
Copy link
Author

luispabon commented Nov 16, 2020

Excellent stuff, enjoy your new setup!

I'll make a note on the gist to make sure it's not unnoticed.

@CodeWithShreyans
Copy link

CodeWithShreyans commented Feb 10, 2021

Have you tried it with VeraCrypt instead of Bitlocker?(try it)
Planning to do the whole process myself soon.
Thanks for the guide

@luispabon
Copy link
Author

Nay not at all. Can you encrypt/decrypt your storage with VeraCrypt before linux and windows even loads? It would make setting up both OS far easier and with this system I haven't been able to find a way to get /boot encrypted at all

@Sigmundius
Copy link

Thank you so much for your tutorial! I had to make a account to thank you haha. After trying a lot of tutorials, yours did the trick.

@luispabon
Copy link
Author

👍

@ktolbol
Copy link

ktolbol commented Jun 3, 2021

This worked wonderfully, many thanks!

@luispabon
Copy link
Author

👍 excellent!

@Wolfonye
Copy link

First: a big thank you! This worked out pretty well actually! Enabling Bitlocker on win 10 afterwards also worked seamlessly.
Second: for others as a reference, setup executed today on a Lenovo Thinkpad L490 on a freshly inserted new SSD. I followed the steps almost exactly but remark that you won't have a BIOS option to switch from RAID to AHCI (not necessary).
Third: you might want to publish this as an article or blog post that can be found easier given how many incomplete information is out there on this topic. There certainly is a fair share of people who would appreciate it.

Again, many thanks! This was a major stress-safer!

@luispabon
Copy link
Author

luispabon commented Jun 16, 2021

Ah thanks. TBF I am not the original author, I grabbed the original text and updated it to newer Ubuntues (Ubuntuses?) and added the particularities of my laptop (like the RAID to AHCI thing).

@peddanet
Copy link

peddanet commented May 11, 2022

Nearly two years ago, I followed your steps above! Thanks, since then it has worked! My /boot partition gets again and again full. So I want to extend it to some Giga bytes. I have resized my windows partition, which is before the /boot partition but cannot move/resize the /boot partition to "the left", because it is in use. Do I Have to do it with the live ubuntu session, what do I have to obey, that the system keeps startable?

Second, Can I resize/move the luks partition itself, and what do I have to do here? I am bit lost. First resize the lvm and then the luks?? BTW do you know a backup rescue concept for the data in it? Sorry for my stupid questions...

@luispabon
Copy link
Author

The only real way I can think of resizing that boot partition is to delete & recreate it on the empty space. You would need to do this from a live session and you'd need to make sure you make a backup of /boot that you can restore once the new partition is ready. Make sure you tweak your /etc/fstab beforehand to ensure the entry for /boot is not an uuid but a device node (eg /dev/sda1 or whatever your storage looks like).

You really need to know what you're doing, the danger of messing up your install is high. Be prepared to having to re-install all the linux stuff from scratch if you mess it up.

I don't know if you can resize the cryptdrive. Remember, LVM sits inside of LUKS, so you'd need to resize LUKS before you can resize LVM. I've no idea if this is achievable, never needed to do this myself.

@peddanet
Copy link

Thanks @luispabon!
It really looks, like there is no safe solution for this... The risk of messing up is high! And I have no good concept to backup 750 gb of encrypted data... Yet. So to conclude I should save manually relevant data and maybe then setup the complete system...
But one question :Which /etc/fstab do you mean? The one inside the luks /lvm (the one of the encrypted Linux)? This one is referring to the none encrypted /boot partition?

@Lauriy
Copy link

Lauriy commented May 20, 2022

Thanks a bunch for this!

I set up Windows right away. Then went on with Ubuntu. Windows asked my Bitlocker recovery key after installing Ubuntu. Ofc I had it saved and the setup was saved.

@luispabon
Copy link
Author

@peddanet the fstab from the system you're operating on, of course. Within your encrypted volumes.

@jdnixx
Copy link

jdnixx commented Jul 5, 2022

Another thank you from me, this was exactly what I needed. Mucho awesome

@peddanet
Copy link

peddanet commented Jul 5, 2022

Thanks @luispabon! I was recently able to resize the luks encrypted lvm on my dual boot laptop by actually replacing the 1TB SSD by a 2 TB SSD. So I finally chose to buy a new SSD which I wanted to omit at first...

I followed these steps, which I have written down and referred at

askubuntu: trying to resize root partition using lvm doesn't work

Especially the linked
unix.stackechange
Helped me a lot! It worked perfectly for me!

@wusimfan
Copy link

For me this guide worked perfectly.
The question I'm asking myself, does this guide also apply when I have 2 drives? One for windows and one for Linux.

@luispabon
Copy link
Author

It would, but if you have 2 drives you don't need this guide. Simply use the regular ubuntu installer and enable encryption from the GUI and let the installer manage and partition the full drive.

@whowantsmybigdata
Copy link

Great! Were close to buy a second hard-drive to achieve the same and this saved me from having to!!
On my test with ubuntu and kubuntu 22.04 I had to manually put

mkfs.ext /dev/mapper/vg-linux-root
mkfs.ext /dev/mapper/vg-linux-home
mkswap /dev/mapper/vg-linux-swap

in between points 4.4 and 4.5 (so before starting to use the gui installer),
because the installer was not able to format the logical volumes itself.
Thanks a lot!

@peddanet
Copy link

What? I came here whether it's possible to install windows in a luks encrypted drive. It's not possible right?

@foxjaw As it is pointed out above the system consists of the following partitions:

  • boot partition (unencrypted)
  • efi partition (unencrypted)
  • windows partition (ntfs partition)
  • left over space for ext4 luks encrypted Ubuntu system

So it seems clear that you can install windows next to a luks encrypted volume. But you use Bitlocker or similar technique to encrypt the windows partition. Actually mine is left unencrypted as I use the system only for playing games...

@saintcore
Copy link

saintcore commented Sep 17, 2024

I still not believe this to the full but I've done it myself today for a friend and it works. As of today there is no need to do this manual setup of luks/lvm. The Ubuntu setup guide is finally able (it's a bit shady ngl) to do this for you:

  1. If the current windows-setup uses the full disk shrinkt the c:\ partition as much as you want to use for your new ubuntu-installation (you can use gparted for that if your still using windows 7 which doesn't allow you to shrink c:).
  2. Make sure the shrinked / now free part of the disk is not formated with any filesystem before proceeding (should be like that by default but you never know.). This is needed so that the ubuntu setup guide later on recognizes this space for usage automatically.
  3. As with the previous setup: If you have a high need of security for yourself/your setup make sure you overwrite the whole space you just made available for the new ubuntu setup. If not fragments of your previous data could be leaked due to the nature of how luks is setup by default.
  4. Now boot from the ubuntu liveusb and proceed with the setup as normal until the partioning guide is displayed. Here upfirst select the 2nd option (use the whole disk for ubuntu) and enable the advanced options. Within these options enable the luks-encryption. DON'T PROCEED WITH FORMATTING JUST NOW!
  5. Now switch back to the first option (dual boot / install ubuntu alongside windows). You will see that the enabled option for luks-encryption is greyed out below but still will be used. You can now proceed with formating and installing.

With that said I still want to put out a big thx to anyone that contributed to this guide over the years. It helped out myself here and there :)

@LukasJerabek
Copy link

@saintcore can confirm this worked flawlessly :) Thank you for the tip!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment