Ubuntu fully encrypted, /boot included

Spread the love

How to install Ubuntu using Full Disk Encryption without /boot!

Ubuntu default installer is called Ubiquity, and is fairly limited when it comes to advanced options, for instance you cannot finish the installation without including a separate /boot partition, if your /root partition is encrypted.

But with a few tweaks it’s possible to have FDE, with encrypted /boot and without having to type your password twice.

I used the excellent guide from Pavel Kogan, as a reference to this tutorial.

Basically it boils down to:

  • Install Ubuntu with manual partitioning (something else) installer option,
  • at first you have to create a separate /boot partition on MBR,
  • or two in case of UEFI /efi and /boot (warning do not delete the /efi).
  • Create a “Physical volume for encryption”, you can use LVM for multiple partitions or a single EXT4, BTRFS, etc.
  • Finish the install and Do not reboot, we will remove the /boot partition first!
  • Reinstall Grub


After the install is completed DO NOT REBOOT yet, it’s time to get rid of that pesky non encrypted /boot partition!

Getting rid of the non encrypted partition.

After it finishes installation, run the following commands:

  • You will have to Copy the contents of /boot, and chroot into the new system
  • sudo mount -o [email protected] /dev/mapper/sda3_crypt /target
  • sudo mount /dev/sda2 /mnt # (Careful with the trailing slashes! rsync may break otherwise.)
  • sudo rsync -aXAH /mnt/ /target/boot/
  • sudo mount /dev/sda1 /target/boot/efi
  • sudo mount –bind /dev /target/dev
  • sudo mount –bind /proc /target/proc
  • sudo mount –bind /sys /target/sys
  • sudo chroot /target(Everything is now happening as chroot inside your new system.)Add line to /etc/default/grubGRUB_ENABLE_CRYPTODISK=yAdd line to /etc/crypttab. You will need to first run sudo blkid to find the UUID of /dev/sda3 (NOT /dev/mapper/sda3_crypt).sda3_crypt UUID=<UUID of /dev/sda3> none luks,discardEdit /etc/fstab and delete the line for /boot. The other entries are correct.

    Install grub to the EFI System Partition, generate a new grub.cfg, and prepare initrd.

    sudo grub-install –target=x86_64-efi –efi-directory /boot/efi –bootloader=ubuntu –boot-directory=/boot/efi/EFI/ubuntu –recheck

    sudo grub-mkconfig -o /boot/efi/EFI/ubuntu/grub/grub.cfg

    sudo update-initramfs -c -k all

  • Exit chroot and reboot into your new system
  • type exit

That’s basically all, reboot and see if everything is working!

But wait, you don’t want to enter your Luks password twice?

Here’s how to do it!

  • create a keyfile:
  • dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
  • Put your new Keyfile into Luks:
  • cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
  • Create a hook:
  • sudo nano/etc/initramfs-tools/hooks/crypto_keyfile with the following text:
  • #!/bin/sh
  • cp /crypto_keyfile.bin "${DESTDIR}"
  • sudo chmod +x /etc/initramfs-tools/hooks/crypto_keyfile
  • sudo update-initramfs -u


And last, you need to step up the security!


sudo chmod -R g-rwx,o-rwx /boot

sudo chmod 000 /crypto_keyfile.bin # this will protect your keyfile


That’s all!



Tags:, ,


Add a Comment

Your email address will not be published. Required fields are marked *

5 × 2 =