How to encrypt ubuntu mate partition with LUKS?

hi,it is my first topic here,i want to know how encrypt ubuntu mate partition with LUKS.I use windows8.1 so i want make a dualboot windows/ubuntu.but i want ubuntu encrypted.Sorry for my bad english.i just know spanish.Please forgive my ignorance and thanks for your time

Hi @avotaaaaaaaaa,

see the following links:

1 Like

The last time I did this was with Win 7 and Ubuntu 14.04, so I can’t vouch for it with current versions, and I haven’t tried it with Ubuntu Mate. Make sure you create a restore disk for your Winblow$ install before you try it!

  1. Boot from an Ubuntu live DVD or USB stick, and select “Try Ubuntu”.

  2. Create two partitions using GParted included in the live disk. The first partition should be ~2 GB, unencrypted, and formatted in ext3 for /boot. The second partition should be unformatted and should be large enough for root and swap. Make it take up the remainder of the available space. Since you can only have four primary partitions, you may need to create an extended partition to house these two, depending on how many partitions Windows sucks up.

  3. Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and cryptubuntu with a name of your choice.

    sudo cryptsetup luksFormat /dev/sda3
    sudo cryptsetup luksOpen /dev/sda3 cryptubuntu
  4. Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. vgubuntu is the name of the volume group, and lvubunturoot and lvubuntuswap are the names of the logical volumes, or you can choose your own.

    sudo pvcreate /dev/mapper/cryptubuntu
    sudo vgcreate vgubuntu /dev/mapper/cryptubuntu

    When you set the GB size for the following line, make it 2 GB less than the available space reported for /dev/sda3 so there is plenty of room for the swap logical volume; otherwise, you’ll end up having to reboot and start over, unless you can figure out how to free up the cryptubuntu luks disk you’ve opened above.

    sudo lvcreate -n lvubunturoot -L <insert value in GB for remaining space here>g vgubuntu
    sudo lvcreate -n lvubuntuswap -L 1g vgubuntu
  5. Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)

    sudo mkfs.ext4 /dev/mapper/vgubuntu-lvubunturoot
    sudo mkswap /dev/mapper/vgubuntu-lvubuntuswap
  6. Don’t reboot! You need the LUKS volume you created open to continue. Start Ubiquity, and install Ubuntu using the graphical installer, choosing manual partitioning (“Something Else” from the partitioning page.). Assign / to /dev/mapper/vgubuntu-lvubunturoot and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

  7. Once the graphical installer is finished, select “continue testing” and open a terminal.

  8. Find the UUID of the LUKS partitions (/dev/sda3 in this case) using blkid, and copy it to a new document in your favorite editor; e.g., Gedit or Pluma:

    sudo blkid /dev/sda3
    /dev/sda3: UUID="a4348ef9-f5ea-48e6-ba27-d25995728152" TYPE="crypto_LUKS"
  9. Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:

    sudo mount /dev/mapper/vgubuntu-lvubunturoot /mnt

    Make sure you adjust the device (sda2) in the next line to match the device in your installation.

    sudo mount /dev/sda2 /mnt/boot
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt
    mount -t proc proc /proc
    mount -t sysfs sys /sys
    mount -t devpts devpts /dev/pts
  10. Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgubuntu with the name of the volume group:

    # <target name> <source device> <key file> <options>
    cryptubuntu UUID=a4348ef9-f5ea-48e6-ba27-d25995728152 none luks,retry=1,lvm=vgubuntu
  11. Create a file named /etc/initramfs-tools/conf.d/cryptroot in the chrooted environment to contain this line, replacing cryptubuntu with the name used to open the LUKS container, and the UUID value with the UUID of the LUKS partition:


  12. Run the following command in the chrooted environment:

    update-initramfs -k all -c

  13. Edit the file named /etc/default/grub in the chrooted envirnoment, find the line that looks like this:


    Change it to look like this, replacing cryptubuntu, vgubuntu and the UUID value with the appropriate values:


  14. Run the following command in the chrooted environment:


  15. If you’re doing this after a fresh installation of Windoze, open Gparted and make sure there isn’t a “boot” flag in the flags column for one of the Windows partitions. If there is, right-click on that line and remove the boot flag, then put one in the Ubuntu boot partition.

  16. Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.

  17. Check that you’re using the encrypted partition for / by running mount:

    $ mount
    /dev/mapper/vgubuntu-lvubunturoot on / type ext4 (rw,errors=remount-ro)
    /dev/sda4 on /boot type ext3 (rw)
    # rest of output cut for brevity
  18. Check that you’re using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:

    $ swapon -s
    Filename                              Type      Size   Used Priority
    /dev/mapper/vgubuntu-lvubuntuswap partition 630780 0    -1
  19. Check that you can boot into recovery mode, you don’t want to find out later during an emergency that recovery mode doesn’t work :slight_smile:

  20. Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.