How to Encrypt An Existing Ubuntu 24.04 System

Last updated: September 6, 2024 — 5 Comments

This is a step by step tutorial shows how to encrypt Ubuntu, while preserving its data, after you installed it on your computer.

While installing Ubuntu 24.04, if you didn’t choose to use the entire disk, then there’s no graphical option to enable encryption. You can however manually encrypt the full Ubuntu system afterward.

So, on every boot of the Ubuntu system, it asks to input password to unlock boot entry (if /boot partition is also encrypted), then asks again to unlock disk partition before user being able to login.

it asks password twice to unlock boot entry & then root partition

This tutorial is tested in Ubuntu 24.04 LTS with default Grub boot-loader. The system setup include:

  • Secure boot: disabled. Not sure if it required.
  • /boot/efi on separated /dev/sda3 partition.
  • all other system files (including /boot, /home, swap area) on single Ext4 /dev/sda4 partition.

It should also work if you have separated /boot, /home, and swap. But for non-Ext4 file system, the shrink process may differ.

NOTE: The encryption process in this tutorial MAY BREAK YOUR SYSTEM!!! Don’t do it on production machine, unless you know how to restore.

Step 1: Preparation

Before getting started, it’s always recommend to backup, backup, and backup! Back your important data, because any mis-configuration and hardware interrupt can break your system!

1. First, boot and log into Ubuntu 24.04. Then, press Ctrl+Alt+T to open up a terminal window. When it opens, run command:

df -h

The command will help to find out the root partition mount on /, where the bootloader installed to, and separated partitions for /boot and /home if any.

In my case (see the screenshot below), I have only /dev/sda4 for root, and /dev/sda3 for /boot/efi boot-loader. For NVMe SSD, the device names will be like /dev/nvmeXnYpX (e.g., /dev/nvme0n1p3).

You need to write them done or remember them (including separated /home /boot if exist) for later use.

2. Then, install the required cryptsetup package by running command:

sudo apt install cryptsetup

Also, check if SELinux is enabled by running the command below in terminal:

sudo apt install policycoreutils && sestatus

Step 2: Boot another Linux OS (or LiveUSB) in the computer

To encrypt Ubuntu, you need to un-mount the file-system first. Meaning, you need to boot the computer with another Linux OS for doing the encryption process.

If you have a dual-boot Linux system installed on the computer, just reboot into it. If NOT, create a boot-able USB installer for e.g., Ubuntu, Mint, Debian, then boot the live system from USB.

Step 3: Encrypt your Ubuntu System

Once you boot into the live system, close the installer wizard to get into live desktop.

Then, identify the Ubuntu 24.04 root partition, /boot/efi (and separated /home /boot if exist), either by launching GNOME Disks (available in Linux, Ubuntu, and other Linux with GNOME) or by mounting and checking in the file manager.

In my case, they are “/dev/sda4” (root) and “/dev/sda3” (/boot/efi). Replace them to yours in all the commands below!

1. Shrink to make some room for LUKS header

If mounted manually, unmount all the disk partitions. Then, open terminal (Ctrl+Alt+T) and run command:

sudo e2fsck -f /dev/sda4

This command forces to check the Ubuntu file system, which is required before being able to shrink it. Replace /dev/sda4 to yours Ubuntu root.

Next, shrink the Ubuntu file-system to be a bit smaller, so there’s required space for LUKS header:

sudo resize2fs /dev/sda4 91G

Replace /dev/sda4 and 91G (a bit smaller than 92G in my case) according to what you got in “Step 1: Preparation”.

2. Encrypt the Ubuntu partition

Once you have enough free space (32M at least) for the LUKS header, run the command below to encrypt the Ubuntu root file system:

sudo cryptsetup reencrypt --encrypt --type luks2 --hash sha256 --pbkdf pbkdf2 --reduce-device-size 32M /dev/sda4

Also, replace /dev/sda4 to yours Ubuntu root partition, and here are the description for command options:

  • --type luks2 – optional for Ubuntu 24.04 since it’s default. For old Ubuntu and other Linux with GRUB old than version 2.06 luks2 is NOT support. GRUB 2.06 has initial support but with limitations. So for old Grub, use --type luks1 instead.
  • --hash sha256 – tell which hash function to use, also optional since sha256 is default value.
  • --pbkdf pbkdf2required, because Grub boot-loader so far does NOT support the default Argon2id mode, but only pbkdf2.

After running the command, type YES in terminal output to confirm the operation. Then, type a password and confirm again (no visual feedback, just type in mind), the password will be used to un-lock your Ubuntu system while booting.

NOTE: This command can take quite a few minutes! For laptop, plug-in the power supply and disable suspend in case of interruption!

For choice, you may add another password for backup or other use via command:

sudo cryptsetup luksAddKey --type luks2 --hash sha256 --pbkdf pbkdf2 /dev/sda4

(NOT tested) If you have separated /home file partition and want to encrypt it, re-do the last commands to shrink to make room, and encrypt via cryptsetup reencrypt command.

Step 3. Configure Grub Bootloader & Tell Ubuntu to unlock at boot

After encryption, you need to re-generate the Grub boot menu entry, and tell Ubuntu to unlock the root at every boot.

This step is also done in either the dual-boot Linux OS or live system booted from USB.

1. Unlock Root file system

First, run the command below to unlock (/dev/sda4 now is encrypted container, rather root partition):

sudo cryptsetup open /dev/sda4 sda4_crypt

This command will ask you the password (you set in last step) to unlock, then map the root filesystem to /dev/mapper/sda4_crypt. Change sda4_crypt with whatever name as you want, though you need to also replace it in all the commands below.

Then, resize it to be maximized (you shrank it in last step):

sudo resize2fs /dev/mapper/sda4_crypt

In the command, replace sda4_crypt according to the last command.

2. Mount & Chroot to the filesystem

Next, mount the root file-system, which is mapped to /dev/mapper/sda4_crypt in my case, by running command:

sudo mount /dev/mapper/sda4_crypt /mnt

If there’s a separated /boot partition (for example, /dev/sdaX), then mount it via:

sudo mount /dev/sdaX /mnt/boot

And, mount the /boot/efi (/dev/sda3 in my case) to the corresponding directory:

sudo mount /dev/sda3 /mnt/boot/efi

Also, bind-mount pseudo filesystems:

sudo mount --rbind /proc /mnt/proc
sudo mount --rbind /sys /mnt/sys
sudo mount --rbint /dev /mnt/dev

Finally, chroot into the root file-system, so you can operate just like remotely logged in.

sudo chroot /mnt /bin/bash

After this command, you’ll find the terminal prompt changed to be ‘root@ubuntu:/#’.

3. Configure Grub and Crypttab

The root UUID does NOT change after encrypted the root (and/or /home) system partition, but device name changed. The root is NO longer /dev/sda4 in my case, it’s now /dev/mapper/sda4_crypt.

If your have ever edited ‘/etc/fstab’ to use device name (e.g., /dev/sdaX, /dev/nvme0nXpY) instead of UUID for mounting system partitions on boot, then you need to change them accordingly. If NOT, just skip and leave that file unchanged.

In this chroot environment, run the command below to edit the grub config file:

nano /etc/default/grub

Then, you need to add new line GRUB_ENABLE_CRYPTODISK=y to tell Grub to un-lock /boot at every boot (not required if it’s mounted in separated un-encrypted partition), then press Ctrl+S to save and Ctrl+X to exit.

If your Ubuntu has SELinux enabled (it’s usually disabled by default), then add enforcing=0 kernel parameter as value of GRUB_CMDLINE_DEFAULT to tell it to work in permissive mode, or your Ubuntu may refuse to boot. You can then remove the kernel parameter after first boot of the encrypted Ubuntu system.

Then, edit the /etc/crypttab via command below:

nano /etc/crypttab

Then, add the line below to tell to unlock the encrypted container (specified by UUD) and map to /dev/mapper/sda4_crypt on every boot.

sda4_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,retries=3

Here is the UUID of ‘/dev/sda4’. Run udevadm info -q all -n /dev/sda4 |grep by-uuid command in another terminal window (Ctrl+Alt+T) to tell, while blkid will output the incorrect one.

If there’s also separated /home partition encrypted, add new line in the file:

sdaX_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,retries=3

In this line, replace the UUID according to udevadm info -q all -n /dev/sdaX |grep by-uuid command output in another terminal. Though, you need to replace /dev/sdaX according to where you /home located.

4. Apply Changes

Also, in the chroot environment, re-install grub boot-loader via command:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot/efi/EFI/ubuntu --recheck

Here, the command options tell:

  • --target=x86_64-efi – install GRUB for amd64 (Intel/AMD) platform. The value can also be arm-efi, arm64-efi, etc, depends on your CPU architecture.
  • --efi-directory=/boot/efi – specify the EFI partition, it’s mounted to /boot/efi in last step.
  • --boot-directory=/boot/efi/EFI/ubuntu – Ubuntu by default set boot directory to /boot. However, it’s encrypted in my case. So, use this one instead.
  • --recheck tells to delete the existing device map.

Finally, update grub configuration via command:

grub-mkconfig -o /boot/efi/EFI/ubuntu/grub/grub.cfg

NOTE: The update-grub command no long works here, since the command auto-generates /boot/grub/grub.cfg. While --boot-directory= option in last command told to install the config file to /boot/efi/EFI/ubuntu which is un-encrypted.

Also, you need to run the command below to regenerate initramfs images.

update-initramfs -c -k all

Unmount and Reboot

When everything’s done well, exit the chroot environment by running command:

exit

Then, umount via following commands. For --rbind mount, you need to re-run mount command with --make-slave option to allow to recursively change the type of all the mounts. Or, it will refuse to umount and say busy.

sudo umount /mnt/boot/efi
sudo mount --make-slave /mnt/proc
sudo umount -R /mnt/proc
sudo mount --make-slave /mnt/sys
sudo umount -R /mnt/sys
sudo mount --make-slave /mnt/dev
sudo umount -R /mnt/dev

And, close (lock) the encrypted partition:

sudo cryptsetup close sda4_crypt

Finally, shutdown the computer by running command:

shutdown -P now

For lazy man, you may run the shutdown command directly after exit chroot, as it will automatically umount and close encrypted partition.

Now, restart your computer to see the magic (or break your system😅. It takes me quite a few hours to troubleshoot).

Twitter

I'm a freelance blogger who started using Ubuntu in 2007 and wishes to share my experiences and some useful tips with Ubuntu beginners and lovers. Please comment to let me know if the tutorial is outdated! And, notify me if you find any typo/grammar/language mistakes. English is not my native language. Contact me via ubuntuhandbook1@gmail.com Buy me a coffee: https://ko-fi.com/ubuntuhandbook1 |

5 responses to How to Encrypt An Existing Ubuntu 24.04 System

  1. Ji, thank you for the awesome guide. Very helpful and these days almost a requirement for mobile devices.

    I have a question.
    How SELinux is related to LUKS? Mine shows “disabled” and I’m currently running Ubuntu with LUKS, a separate unencrypted /boot in EFI and Secure Boot enabled (dual-boot with Windows encrypted with BitLocker).

    I don’t recall disabling the SELinux when initially set my config. Not sure if there are any implications because SELinux is disabled or if it is normal as replaced by AppArmor.

    • I’m not familiar with SELinux. But if it’s enabled, it may prevent system from booting due to the change you made in this tutorial. User has to enable enforcing=0 kernel parameters to make it work in permissive mode, then remove it after successfully boot the encrypted Ubuntu system for the first time.

      • Thanks for the clarification.
        I wrongly assumed the SElinux supposedly needs to be enabled as found in the Preparation sections and it reads “check if SELinux is enabled”.

  2. Thanks for this great tutorial. So I may have done something wrong in the setup, because I have to enter the LUKS passphrase at two different stages on boot; once at the beginning of the boot sequence, where grub shows a screen “enter passphrase for Luks” [encrypted partition UUID], then another time after the next splash screen to load the Ubuntu kernel, it asks for it again before finally loading the login manager, with the language “Please unlock disk”. I disabled the splash quiet in /etc/default/grub so it shows the boot log.

    Is there a way to enter the Luks password only one time, either on the initial boot, or after the grub menu is loaded and booting into Linux that is on the encrypted partition? I only encrypted the Linux part.

    • It’s correct! It asks for the password twice if your Ubuntu does not have a separate /boot partition.

      The Grub boot-loader asks for password, at the first time, to un-lock the /boot partition so it can load the kernel. Then, Ubuntu asks the password again for being able to mount the file system.

      There are 2 workarounds if you don’t want to type the password twice:

      • Create a key file for decryption, and configure Ubuntu to un-lock automatically via the key. So you don’t need to type password anymore.
      • Use a separated un-encrypted partition (1GB) for /boot. This is default behavior the Ubuntu installer will do, when choose full disk encryption during installing the system. In the case, you don’t need to add ‘GRUB_ENABLE_CRYPTODISK=y’ in /etc/default/grub.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*