Image for

How to Dual-Boot Ubuntu 20.04 and Windows 10 with Encryption

When you run the Ubuntu installer, there’s an option to dual-boot Ubuntu with an existing Windows installation. There’s also an option to encrypt your Ubuntu installation, but only if you erase everything and install ubuntu. There’s no automatic way to install Ubuntu alongside Windows 10 with encryption. And while there are plenty of tutorials for dual-booting Ubuntu and Windows, many of them are outdated – often referencing an MBR partition table – and almost none of them seem to address encrypting your Ubuntu partition.

Dual-booting with encrypted storage should not be this hard in 2020.

–Me, while figuring out how to do this.

In reality, once you figure it out, it’s not that hard. The tricky thing is that this isn’t well-documented anywhere! So I’m hoping to fix that with this tutorial blog post. Honestly, if you know enough about Ubuntu to set up a dual-boot with Windows, it’s only a little bit harder to do it with encryption. I prepared this tutorial on a Dell Latitude e7450, and I fine-tuned it when I tested it on my Dell Precision 5510. So it should work with almost no modification on most Dell systems, and with only minor modifications (particularly around BIOS setup) on most other types of computers.

References

To write this guide, I compiled information from several sources. Here are some of the most useful references I found:

It is worth noting that this method doesn’t encrypt /boot. While there are valid reasons for encrypting /boot, the graphical installer does not encrypt it when you do a graphical install with LUKS. As such, I’m matching that precedent, and keeping the simplicity of an unencrypted /boot partition. Thus, the guide I’ve compiled below is just about the simplest way to have a LUKS encryption with dual-boot.

Why encryption is important

I began using encrypted storage on all my personal computers 5 or 6 years ago after noticing that all the companies I’d worked for required it, and had good reason to. Laptops get lost and stolen all the time. They’re high-value items that are small and easy to carry. And when a thief gets your laptop, there’s tons of valuable information on it that they can use or sell. Even if you use a password to log in, it’s easy for an attacker to gain access to your data if your disk isn’t encrypted – for example, by using a live USB stick. And once they have that data, they might get access to online accounts, bank statements, emails, and tons of other data. For me, an encrypted hard disk isn’t optional anymore – its a necessity.

An Overview

So what are we going to do? This tutorial will help you set up a system to dual-boot Ubuntu 20.04 and Windows 10. (I haven’t tested it, but it should work with most other modern versions (~16.04+) of Ubuntu or Windows.) The system will use a GPT hard disk with UEFI (your BIOS must support UEFI). The Ubuntu partition will be encrypted with LUKS.1 The Windows partition can optionally be encrypted with BitLocker. I’m going to keep the Ubuntu installation as close to a “default” installation as possible – no fancy tricks like a separate /home partition, but it should be somewhat easy to add that yourself if you really want to.

I’m going to start with a blank hard disk, installing both Windows 10 and Ubuntu from scratch. If you already have Windows installed and you want to keep it, you should be able to shrink your windows partition and join us in phase 3 (though you might want to skim phases 1 and 2 to understand what we did).

To give you a broad overview of where we’re headed, here’s what we’re going to do:

  1. Prepare the installation media and computer
  2. Install Windows 10
  3. Create an encrypted partition for Ubuntu
  4. Install Ubuntu

Of course, as with any new OS installation, you should back up any important data before proceeding. The instructions below will erase all the data on your hard disk. Proceed at your own risk; I’m not responsible for any damage or data loss.

Phase 1: Prepare the installation media and computer

Since we’re installing both Windows 10 and Ubuntu from scratch, we’ll need a USB stick for each. If you don’t already have a computer running Ubuntu or Windows, making the installation media will be a little harder – but there are tutorials for that and I’ll let you figure it out on your own.

  1. Create a Windows Installer USB stick. The easiest way is to use the Windows 10 Media Creation Tool from a computer that’s already running Windows.
  2. Create an Ubuntu 20.04 USB stick. The easiest way is to download the ISO and use the Startup Disk Creator on a computer that’s already running Ubuntu.

Great! We’ve got our USB sticks ready to go! One final thing before we get started – we need to make sure our BIOS is set up correctly. In particular, we want to make sure we’re using UEFI to boot our OS.2

The Dell BIOS

  1. Ensure your computer is running the latest BIOS available. This is important because an out-of-date BIOS can have bugs, and those bugs sometimes affect things like UEFI, non-Windows operating systems, or other components we’ll be touching.
  2. Edit your BIOS settings. The following names are probably specific to Dell BIOS, but other manufacturers will have similar settings.
    1. Under General and Boot Sequence, make sure your Boot List Option is set to UEFI.
    2. Under General and Advanced Boot Options, I disabled Legacy Option ROMs. It’s important that both OSes install in UEFI mode. (You can probably enable this when installation is complete if you care).
    3. Under Security, TPM Security must be enabled if you want to easily set up BitLocker in Windows.
    4. I disabled Secure Boot. I’m not sure if this is absolutely required, and you can try leaving it on or re-enabling it when you’re done if you want.

Now that our BIOS is configured for UEFI, we’re going to set up our hard disk.

For this tutorial, your BIOS must support UEFI!

Most modern computers support this, but if yours doesn't this tutorial won't work for you. You should consider:

  • Installing only Linux with encryption using the graphical installer.
  • OR Installing only Windows with encryption.
  • OR Dual-booting Linux and Windows without encryption using Ubuntu's graphical installer.
  • OR Finding another tutorial or figuring out how to do this with an MBR disk.
  1. Completely erase your hard disk and set it up for UEFI by doing the following.3
    1. Boot your Ubuntu USB stick and use Try without installing.
    2. Open a terminal. Make it fullscreen while you’re at it.
    3. Figure out what your primary hard disk is called. It will probably be either /dev/sda or /dev/nvme0n1. Importantly, it’s not /dev/sda1 or /dev/nvme0n1p1 – those are partitions of the disk. One way to figure out what yours is called is to run lsblk and look at the disk size. Throughout the rest of this guide, I’m going to refer to /dev/sda. If yours is not /dev/sda, replace /dev/sda with your own (perhaps /dev/sdb or /dev/nvme0n1) for the rest of this guide.
    4. Run the following commands. This will initialize the drive as a GPT drive and create a 550M EFI system partition formatted as FAT32.

      $ sudo su
      # sgdisk --zap-all /dev/sda
      # sgdisk --new=1:0:+550M /dev/sda
      # sgdisk --change-name=1:EFI /dev/sda
      # sgdisk --typecode=1:ef00 /dev/sda
      # mkfs.fat -F 32 /dev/sda1
      

OK, phase 1’s complete. We have our installation media ready to go and the computer’s BIOS and hard drive is set up correctly. Next, we’ll install Windows.

Phase 2: Install Windows

In this phase, we’re going to install Windows. Note that when we do this, we’re going to leave some unallocated space to install Linux later. This is a good approach because the Windows installer will mess with our partitions a little bit, and its easier to let it do so before finalizing our Linux partitions.

The Windows installer

  1. Boot from your Windows Installer USB stick.
  2. Choose a Custom (advanced) install to get to the Windows partitioning tool.
  3. Create a new partition. The size of this partition should be the amount of disk space you want to use for Windows. In this example, I did 80G since the SSD on my computer is relatively small. If unsure, do about half of your hard disk.
  4. Windows will warn you that it is going to create an extra system partition. This is good.4
  5. Install Windows onto the partition you just made. There’s no need to format any partitions – the Windows installer will take care of that for you.
  6. When the Windows installation is finished, log in and enable BitLocker on drive C:. This will automatically create yet another partition on your disk (a Windows recovery partition) - which is why we’re doing it before partitioning for Ubuntu.

At this point, you can start using Windows. But I’d avoid doing too much setup or personalization yet so you don’t have to do it again if something goes wrong below. If you want to double check your partitions, this is what you’ll be left with after installing Windows and enabling BitLocker:

ubuntu@ubuntu:~$ sudo sgdisk --print /dev/sda
Disk /dev/sda: 500118192 sectors, 238.5 GiB

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1128447   550.0 MiB   EF00  EFI
   2         1128448         1161215   16.0 MiB    0C01  Microsoft reserved ...
   3         1161216       167825076   79.5 GiB    0700  Basic data partition
   4       167825408       168900607   525.0 MiB   2700

Phase 3: Partition the drive for Ubuntu

This is the trickiest phase since this is where we need to manually set up our encrypted disks for Ubuntu. We’re going to make it work very similar to the way the Ubuntu installer would set things up if you encrypted your whole disk.

Disk partitions in GParted

Throughout this section, I’m going to be referencing sgdisk commands. You could use gdisk if you’re comfortable with it and want an interactive interface, or you could use GParted if you prefer. sgdisk commands are just easier to reference in a tutorial. And again, I’ll be referring to /dev/sda, but there’s a chance yours could be named something like /dev/nvme0n1 – just continue substituting whatever you’ve been using.

If you want, you can run sudo sgdisk --print /dev/sda to examine the partition table before moving on. You’ll see multiple partitions created by the Windows installer, and should see some empty space where we’re about to install Ubuntu.

  1. Again, Boot the Ubuntu USB stick and Try without installing.
  2. Open a terminal. It’s a good idea to make it fullscreen.
  3. Make a partition for /boot and a partition for our Linux system & data (to be encrypted with LUKS).

    $ sudo su
    # sgdisk --new=5:0:+768M /dev/sda
    # sgdisk --new=6:0:0 /dev/sda
    # sgdisk --change-name=5:/boot --change-name=6:rootfs /dev/sda
    # sgdisk --typecode=5:8300 --typecode=6:8300 /dev/sda
    # mkfs.ext4 -L boot /dev/sda5
    

Now, we’re going to encrypt our Linux data partition.

  1. Setup LUKS on our Linux data partition.

    # cryptsetup luksFormat --type=luks1 /dev/sda6
    WARNING!
    ========
    This will overwrite data on /dev/sda6 irrevocably.
       
    Are you sure? (Type uppercase yes): YES
    Enter passphrase for /dev/sda6: 
    Verify passphrase: 
       
    # cryptsetup open /dev/sda6 sda6_crypt
    Enter passphrase for /dev/sda6: 
       
    # ls /dev/mapper/
    control sda6_crypt
    
  2. Setup LVM inside our encrypted partition for a data volume and swap space. It’s good that our swap space is inside the encrypted partition because of data that could be there when the system suspends. Also, for suspend/hibernate to work, you should have at least as much swap space as memory. My laptop has 8G memory, so I’ll create 8G swap space.5

    # pvcreate /dev/mapper/sda6_crypt
    Physical volume "/dev/mapper/sda6_crypt" successfully created.
    # vgcreate ubuntu-vg /dev/mapper/sda6_crypt
    Volume group "ubuntu-vg" successfully created
    # lvcreate -L 8G -n swap_1 ubuntu-vg
    Logical volume "swap_1" created.
    # lvcreate -l 100%FREE -n root ubuntu-vg
    Logical volume "root" created.
    

Now, all our partitions are prepared. Don’t stop here! Continue to the next phase without exiting the Ubuntu live environment.

Phase 4: Install Ubuntu

  1. Run the Ubuntu installer from the Desktop, and choose Something else to configure partitions yourself.
    1. Use our ~768M partition as ext4 with mount point /boot
    2. Use /dev/mapper/ubuntu--vg-root as ext4 with mount point /
    3. Use /dev/mapper/ubuntu--vg-swap_1 as swap
    4. The bootloader device should be /dev/sda (though it appears that this setting might not actually be used in UEFI mode)
  2. When the installer is finished, hit Continue Testing. We have to do a couple more things before we restart.
  3. Set up etc/crypttab. This is what will allow you to unlock your encrypted drive by typing in your passphrase when booting.
    1. Find the UUID of the partition you set up with LUKS: sudo blkid /dev/sda6
    2. Get into a chroot in the newly installed system:

      # mount /dev/mapper/ubuntu--vg-root /target
      # mount /dev/sda5 /target/boot
      # for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
      # chroot /target
            
      # mount -a
      
    3. Inside your chroot (that is, in the same terminal), set up /etc/crypttab. Use your favorite editor to edit this file. I’ll use vi. sudo vi /etc/crypttab Save the following file contents, replacing the UUID with the actual UUID you found above.

      # <target name> <source device> <key file> <options>
      # options used:
      #     luks    - specifies that this is a LUKS encrypted device
      #     tries=0 - allows to re-enter password unlimited number of times
      #     discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab")
      #     loud    - display all warnings
      sda6_crypt UUID=abcdefgh-1234-5678-9012-abcdefghijklm none luks,discard
      
    4. Run the following to apply the changes you just made.

      # update-initramfs -k all -c
      

Done! Congratulations, you’ve created a dual-boot system with Ubuntu 20.04 and Windows 10 with all your data encrypted! Now that both installations are finished, you can reboot your computer.

By default, your computer will boot into grub, which can boot Ubuntu. Although Windows is listed in grub, booting Windows from grub with BitLocker enabled won’t work because the system’s TPM will detect a change in the boot sequence. To avoid this problem, you should boot Windows directly from your computer’s BIOS boot menu - usually accessible by pressing F12 on startup.

As a reference, here’s the final state of my hard drive (with 2 logical volumes on the rootfs partition for / and swap):

$ sudo sgdisk --print /dev/sda
Disk /dev/sda: 500118192 sectors, 238.5 GiB
 
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1128447   550.0 MiB   EF00  EFI
   2         1128448         1161215   16.0 MiB    0C01  Microsoft reserved ...
   3         1161216       167825076   79.5 GiB    0700  Basic data partition
   4       167825408       168900607   525.0 MiB   2700  
   5       168900608       170473471   768.0 MiB   8301  /boot
   6       170473472       500118158   157.2 GiB   8301  rootfs

I hope you found this guide useful, and I hope full-disk encryption with Ubuntu becomes more popular and better-supported as a result!


  1. Ubuntu supports other types of encryption. But home folder encryption can cause lots of problems and incompatibilities. And the cryptsetup manpages recommend LUKS over dm-crypt. 

  2. Booting in UEFI is important for this process to work. There’s an in-depth discussion of boot modes here

  3. Here’s a good resource for UEFI info. 

  4. According to the sgdisk man pages, “If Windows is to boot from a GPT disk, a partition of type Microsoft Reserved (sgdisk internal code 0x0C01) is recommended. This partition should be about 128 MiB in size. It ordinarily follows the EFI System Partition and immediately precedes the Windows data partitions.” 

  5. There’s a good discussion of suspend modes here, highlighting the need for swap space. 

Share!

Did you like this blog post? Why not share it with your network!