How to Setup an Encrypted Ubuntu Installation?

Starting with Ubuntu 12.10, users can now install Ubuntu OS and its core files into an encrypted volume (partition) for additional security (there is an option for that in the installer wizard).

It is called, ‘Encrypt the new Ubuntu installation for security’, and once chosen, all you have to do is enter a password, and the rest will be taken care of. However, if you go with that option, it will erase your entire HDD, and if you use Ubuntu alongside with Windows (I’m using 7), then this is not an ‘option’.

So I just thought that writing a ‘how-to’ guide for achieving this would come in handy for someone who is in new to Ubuntu and want to set it up properly.

__________

Optional …

Now, before we begin, I assume that you have a separate partition or an unformatted free space on your HDD. If you have already done that, then please skip this section and go directly to the ‘Installation …‘ step (a bit down below).

If you do not have one created and do not know how to do that, then you use the partition editor in Ubuntu or the one that comes with Windowss.

Since we are resizing a native Windows file system, the safest option is to use the ‘disk manager’ in Window. However, if it is Windows OS partition that you are trying to resize, and get errors, then you can use the partition manager in Ubuntu for that.

So, I will laid out the two methods.

Using Windows ‘disk manager’ …

1. Login to your Windows OS (I’m using 7). Then right click on the ‘My Computer’ icon and choose ‘Manage’.

2. From the next window, from the left, choose ‘Disk Management’.

3. As soon as you do that, Windows will list your current partition layout to the right side as shown below.

4. Now select the partition that you want to resize, right click on it and from the menu choose: ‘Shrink’.

5. Then under ‘Enter the amount of space to Shrink in MB’ option, enter the size in MB for the ‘free space partition’.

6. Once done, click on the ‘Shrink’ button:

Depending on the size and the data on the partition, it might take a while, so be patient (don’t run these tools on battery. If it is a desktop computer, then make sure you have a UPS connected, otherwise, if power goes down while doing it, you will end up losing your data!!).

When everything is complete, you should see the newly created free space partition to the right-side of the partition that you just shrink.

If you succeed with this tool, then you can skip the below steps, boot into the Ubuntu Live desktop and just straight to the ‘Installation…‘ step.

Using ‘Gparted’ in Ubuntu to resize a Windows partition …

Once booted into the Ubuntu 12.10 Live desktop, search for the following term in ‘Dash’ as shown in the below screenshot.

partition editor

Once the partition editor finishes scanning your HDD, select the partition that you want to resize and right click and choose ‘Resize/Move’ as shown below.

This will open up a new window as shown below.

You can either create the free space partition before or after the existing one. But as a general rule, always create the free space area after the existing partition.

Because, if you are using the Windows partition (where it is installed) for this, and create the free space ‘before’ it, then it will make your Windows non-bootable!. So never, never do that!.

 

Anyway, then you can enter a value in Mega Bytes (MB) for the free space area under the option ‘Free space following MiB’, as shown above.

_____________

Important: If you used the keyboard to enter the size, then the ‘Resize/Move’ button will still be deactivated. I don’t know why, but for activating it, you will have to click on the down/up arrows.

However, when you do that, sometimes, the ‘0’ value of the ‘Free space preceding (MiB)’ option gets changed. Meaning that, when you resize, if it was the Windows OS partition, then it will be non-bootable!.

So before clicking the ‘Resize/Move’ button, always, always make sure the value under the ‘Free space preceding (MiB)’ is set to zero.

I have seen people saying ‘GParted’ has f*@k#( their Windows OS after resizing, and this is almost always the reason for that.

_____________

Now click on the ‘Resize’ button and it will take you into the partition editor’s main window. Then to apply the changes (always have a second look at the your changes, you never know!), click on the small check-mark icon on the upper toolbar, and it will do the rest for you. Once done close the partition editor.

Installation …

Step 1:

Once you have created the empty (free space) partition (or had a separate partition from the beginning so jumped directly to this step), click on the ‘Install Ubuntu …’ icon on your Desktop to start the installation.

Then follow the on-screen instructions and when Ubuntu takes you to the ‘installation type’ step, from the list choose ‘Something else’, option.

Step 2:

This will take into the partition editor of the Ubuntu’s installer, and as you can see, the newly created ‘free space’ is listed at the bottom (doesn’t have to be listed at the bottom as it depends on your partition setup).

Now, unlike in the default method, before we can install Ubuntu into an encrypted partition, we have to create a small separate partition for storing the boot files of the OS, otherwise the OS will be unable to boot.

The partition is called ‘boot’, as it holds few but important files that are necessary for the OS’s boot process (and it is an unencrypted partition).

Step 3:

Now, select the ‘free space’ from the list (if you had prepared a partition manually, then choose that), click on the small cross-mark and this will open up a new window.

The ‘boot’ partition does not have to be a big one and a value of 200MB is more than enough. But I have entered 300MB, just in case :). Under the last option called ‘Mount point’, click on the arrow and choose ‘/boot’ option. Leave all other options in their default values!.

Once done, click the ‘OK’ button and then the partition editor will take few seconds and create a new partition called ‘/boot’ which is about 300MB in size (in this case), and will list it in its main window.

Step 4:

There should still be a partition called ‘Free space’, under the ‘boot’ partition. Now select it, and click on the cross-mark for creating another one.

From the next window, leave all the settings to their default values (including the size), but under the ‘Use as’ option, click on the down arrow and choose, ‘physical volume for encryption’ option.

As soon as you do that, two new options will be added to the window. One lets you add a password for the encryption for the partition and the other lets you overwrite the empty space for additional security (optional)..

So, enter your password, twice (never loose this password, otherwise you will not be able to access your data!), then click on the ‘OK’ button and wait for few seconds and the partition editor will apply your changes and take you into its main window again.

This time, you will notice that, at the top of the list, the newly created, encrypted partition is listed under ‘dev/mapper/sda6_crypt …’ (the name ‘sda6’ will differ according to your partition setup).

Step 5:

Now, select the newly created partition and then click on the ‘change’ button.

From the next window, under ‘Mount point’, click on the down-arrow and from the menu choose ‘/’. Then click on the ‘OK’ button.

As soon as you do this, you will be taken into the partition setup window again, and this time, under the newly created encrypted partition, you will see ‘/’ is added under the ‘mount point’ field.

That’s it!. Now you click on the ‘Install now’ button and continue with your usual Ubuntu installation.

‘Swap partition note created’ message …

If you get a message from Ubuntu saying that you have not created a swap partition and would like to create one, then simply click ‘Continue’ button to ignore this waring and to continue with the installation.

If you have like 4GB or more RAM, then you can use GNU/Linux distributions without a Swap partition. Nevertheless, once finished installing Ubuntu, and logged into the Desktop, you can easily create a virtual swap file as well.

If you are interested in how to do that, then please visit this Ubuntu Wiki page. Once you have figured out the size of the Swap file needed, scroll down until you find ‘Four-step Process to Add Swap File‘ sub heading, and proceed with the instructions to create a virtual Swap file.

Well, that’s pretty much it. Good luck.

12 thoughts on “How to Setup an Encrypted Ubuntu Installation?”

  1. It’s anoying, that you can’t reliably change the set up of the encryption container, ubiquity has created, though.
    Is struggle with the point, that I like to separate “/” from “/home” – on every try, the application crashes, and that’s it :-/

  2. I have two questions:
    1) Which is better: creating a swap partition before installing Ubuntu? or creating swap partition after installation? Please note that I do not like to use swap file. I prefer to have a swap partition instead.

    2) How to create an encrypted swap partition before installation?

    • Hi,

      Well, first of all, if you have a reasonably larger RAM (say >= 4GB), then you can safely skip using a SWAP partition. However, under some special circumstances (say that you use memory hungry, I’m talking about very aggressive ones) applications, it’s wiser to have one anyway. For example, I have 4GB of RAM, and I primarily use it for web-browsing, multimedia playback etc and thus, I’ve always skipped creating a SWAP partition.

      Anyhow, if you want to create a SWAP partition, and haven’t installed Ubuntu yet, then it’s best to create one while you’re installing it (using the installer) as the installer lets you do everything through its GUI and it’s pretty much automatic (creating and enabling the SWAP), and if you were to do it afterwards, then you’ll have to use the command-line a bit. Other than that, I cannot see any other advantages/disadvantages.

      As for the second question, I don’t know the answer for that mate. However, after installing Ubuntu, you can always ‘convert’ an existing SWAP partition easily using ‘cryptsetup’ utility nevertheless.

    • You can create an encrypted swap partition during the installation by leaving a bit of free space after step 4/5. Then repeat those steps with the remaining space (about 2gb should be fine) but instead of marking it as ext4 with the mount point of / mark it as swap space from the “use as” drop down menu.

  3. Hi! Thanks for the detailed instructions. I was wondering what I’m doing wrong trying to create an encrypted partition after an existing OS X partition on a MacBook 2008. When I choose “physical volume for encryption” the mouse cursor keeps rotating and never stops. Don’t see any mapper device.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: