This is an easy to follow beginner’s guide shows how to encrypt the full file system while installing Ubuntu.
As you may know, it’s easy to hack against Ubuntu Linux physically. Though users can add password protect to the Grub boot menu, the file system is still accessible via a live system, e.g., bootable USB installer.
To prevent your Ubuntu from physical hacking ultimately, adding password protect to the full system disk can be the best choice. And you can do it during installing Ubuntu.
1.) Firstly, this tutorial is not a full Ubuntu installation guide. If you are not getting started, take a look at this step by step how to install guide.
2.) If you’re going to install Ubuntu as the ONLY operating system in the hard drive, just choose ‘Erase disk and install Ubuntu‘ when you’re at Installation type page.
Then click on ‘Advanced features’ to choose either LVM or ZFS and enable ‘Encrypt the new Ubuntu installation for security’.
3.) Mostly I’ll choose ‘Something else‘ to manually create partitions for Ubuntu file system.
Unlike Fedora and Manjaro, Ubuntu does not provide an ‘Encrypt‘ checkbox while creating an EXT4 partition. Instead you need to create a partition use as ‘physical volume for encryption’.
a.) Simply choose the free space and click on ‘+‘ icon on partition table. In the pop-up Create partition dialog do:
- Set the size for Ubuntu file system. 20 GB at least. For long time use, as large as possible.
- Select use as ‘physical volume for encryption‘.
- Set your password and confirm, and finally click OK.
b.) After clicking OK, wait for a few seconds. A new device ‘/dev/mapper/sdaX_crypt‘ will be created as EXT4 file system.
Highlight it, and click on ‘Change‘ button. In the pop-up dialog, set the mount point as /.
c.) Same to Fedora, you have to create a separated /boot partition, as it can not be encrypted.
To do so, select the free space and click “+” to create:
- 500 MB should be enough. 1 GB will be better.
- use as ‘Ext4 journaling file system’
- mount point /boot
d.) Also create 250 MB ‘EFI System Partition‘ for UEFI boot machine, or 2 MB ‘Reserved BIOS boot area‘ for legacy BIOS boot machine. For small RAM, a swap area is also recommended.
Finally the partition table will look like:
Finally click on “Install Now” button. And confirm on pop-up dialog.
Once you successfully installed Ubuntu, restart and you’ll get into the password prompt when booting Ubuntu (see the top picture). As well, accessing the file system from any other OS need the password you set.
Is it still possible to access the Ubuntu Server 20.04.2 via SSH when the hard disk is encrypted?
It has nothing to do with internet access. Just protect from booting / mounting the disk.
The problem I see with this is the swap partition is not encrypted. I was under the impression that the more recent versions of Ubuntu used a swap file instead of a partition thereby avoiding the exposure of an unencrypted swap partition.
Hello Ji m, Im sorry, do you think this will work with a Dual Boot having Windows as the other SO, im knda worry that if I try this, my windows partition will be lost but I need to have Ubuntu encrypted
Ubuntu install along Windows works 99%. Never had an issue with the guided Ubuntu install. Fedora will fail to boot 99% and you will need to adjust the grub config or install Ubuntu from usb.