{"id":46994,"date":"2024-08-03T14:37:20","date_gmt":"2024-08-03T14:37:20","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=46994"},"modified":"2025-09-30T14:48:11","modified_gmt":"2025-09-30T14:48:11","slug":"encrypt-existing-ubuntu-system","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/08\/encrypt-existing-ubuntu-system\/","title":{"rendered":"How to Encrypt An Existing Ubuntu 24.04 System"},"content":{"rendered":"<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-46965\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo-250x250.webp\" alt=\"\" width=\"250\" height=\"250\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo-250x250.webp 250w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo-300x300.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo-700x700.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo-768x768.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/07\/gufw-logo.webp 1200w\" sizes=\"auto, (max-width: 250px) 100vw, 250px\" \/><\/a><\/p>\n<p>This is a step by step tutorial shows how to encrypt Ubuntu, while preserving its data, after you installed it on your computer.<\/p>\n<p>While installing Ubuntu 24.04, if you didn&#8217;t choose to use the entire disk, then there&#8217;s no graphical option to enable encryption. You can however manually encrypt the full Ubuntu system afterward.<\/p>\n<p>So, on every boot of the Ubuntu system, <b>it asks to input password to unlock boot entry (if <code>\/boot<\/code> partition is also encrypted), then asks again to unlock disk partition before user being able to login.<\/b><\/p>\n<div id=\"attachment_46995\" style=\"width: 620px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted.webp\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-46995\" class=\"size-large wp-image-46995\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted-700x402.webp\" alt=\"\" width=\"610\" height=\"350\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted-700x402.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted-300x172.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted-768x441.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/ubuntu-encrypted.webp 849w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><p id=\"caption-attachment-46995\" class=\"wp-caption-text\">it asks password twice to unlock boot entry &amp; then root partition<\/p><\/div>\n<p><!--more--><\/p>\n<p>This tutorial is tested in <b>Ubuntu 24.04 LTS<\/b> with default Grub boot-loader. The system setup include:<\/p>\n<ul>\n<li>Secure boot: disabled. Not sure if it required.<\/li>\n<li><code>\/boot\/efi<\/code> on separated <code>\/dev\/sda3<\/code> partition.<\/li>\n<li>all other system files (including \/boot, \/home, swap area) on single <b>Ext4<\/b> \/dev\/sda4 partition.<\/li>\n<\/ul>\n<p>It should also work if you have separated <code>\/boot<\/code>, <code>\/home<\/code>, and swap. But for non-Ext4 file system, the shrink process may differ.<\/p>\n<p><b>NOTE: The encryption process in this tutorial MAY BREAK YOUR SYSTEM!!! Don&#8217;t do it on production machine, unless you know how to restore.<\/b><\/p>\n<h3>Step 1: Preparation<\/h3>\n<p>Before getting started, it&#8217;s always recommend to <b>backup<\/b>, <b>backup<\/b>, and <b>backup<\/b>! Back your important data, because any mis-configuration and hardware interrupt can break your system!<\/p>\n<p><b>1<\/b>. First, boot and log into Ubuntu 24.04. Then, press <code>Ctrl+Alt+T<\/code> to open up a terminal window. When it opens, run command:<\/p>\n<pre>df -h<\/pre>\n<p>The command will help to find out the root partition mount on \/, where the bootloader installed to, and separated partitions for <code>\/boot<\/code> and <code>\/home<\/code> if any.<\/p>\n<p>In my case (see the screenshot below), I have only <b>\/dev\/sda4<\/b> for root, and <b>\/dev\/sda3<\/b> for \/boot\/efi boot-loader. For NVMe SSD, the device names will be like <b>\/dev\/nvmeXnYpX<\/b> (e.g., \/dev\/nvme0n1p3).<\/p>\n<p>You need to write them done or remember them (including separated \/home \/boot if exist) for later use.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46997\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare-700x508.webp\" alt=\"\" width=\"610\" height=\"443\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare-700x508.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare-300x218.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare-768x558.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-prepare.webp 866w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p><b>2.<\/b> Then, install the required <code>cryptsetup<\/code> package by running command:<\/p>\n<pre>sudo apt install cryptsetup<\/pre>\n<p>Also, check if SELinux is enabled by running the command below in terminal:<\/p>\n<pre>sudo apt install policycoreutils &amp;&amp; sestatus<\/pre>\n<h3>Step 2: Boot another Linux OS (or LiveUSB) in the computer<\/h3>\n<p>To encrypt Ubuntu, you need to un-mount the file-system first. Meaning, you need to boot the computer with another Linux OS for doing the encryption process.<\/p>\n<p>If you have a dual-boot Linux system installed on the computer, just reboot into it. If NOT, create a <a href=\"https:\/\/ubuntuhandbook.org\/index.php\/2022\/04\/usb-installer-ubuntu-22-04\/\" target=\"_blank\" rel=\"noopener\">boot-able USB installer<\/a> for e.g., Ubuntu, Mint, Debian, then boot the live system from USB.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/boot-live-noble.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46369\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/boot-live-noble-700x389.webp\" alt=\"\" width=\"610\" height=\"339\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/boot-live-noble-700x389.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/boot-live-noble-300x167.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/boot-live-noble.webp 720w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<h3>Step 3: Encrypt your Ubuntu System<\/h3>\n<p>Once you boot into the live system, close the installer wizard to get into live desktop.<\/p>\n<p>Then, identify the Ubuntu 24.04 root partition, \/boot\/efi (and separated \/home \/boot if exist), either by launching <b>GNOME Disks<\/b> (available in Linux, Ubuntu, and other Linux with GNOME) or by mounting and checking in the file manager.<\/p>\n<p><b>In my case, they are &#8220;\/dev\/sda4&#8221; (root) and &#8220;\/dev\/sda3&#8221; (\/boot\/efi). Replace them to yours in all the commands below!<\/b><\/p>\n<h4>1. Shrink to make some room for LUKS header<\/h4>\n<p>If mounted manually, unmount all the disk partitions. Then, open terminal (Ctrl+Alt+T) and run command:<\/p>\n<pre>sudo e2fsck -f \/dev\/sda4<\/pre>\n<p>This command forces to check the Ubuntu file system, which is required before being able to shrink it. Replace <b>\/dev\/sda4<\/b> to yours Ubuntu root.<\/p>\n<p>Next, shrink the Ubuntu file-system to be a bit smaller, so there&#8217;s required space for LUKS header:<\/p>\n<pre>sudo resize2fs \/dev\/sda4 91G<\/pre>\n<p>Replace <code>\/dev\/sda4<\/code> and <b>91G<\/b> (a bit smaller than 92G in my case) according to what you got in &#8220;Step 1: Preparation&#8221;.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46998\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu-700x330.webp\" alt=\"\" width=\"610\" height=\"288\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu-700x330.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu-300x141.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu-768x362.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/shrink-ubuntu.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<h4>2. Encrypt the Ubuntu partition<\/h4>\n<p>Once you have enough free space (32M at least) for the LUKS header, run the command below to encrypt the Ubuntu root file system:<\/p>\n<pre>sudo cryptsetup reencrypt --encrypt --type luks2 --hash sha256 --pbkdf pbkdf2 --reduce-device-size 32M \/dev\/sda4<\/pre>\n<p>Also, replace <code>\/dev\/sda4<\/code> to yours Ubuntu root partition, and here are the description for command options:<\/p>\n<ul>\n<li><b><code>--type luks2<\/code><\/b> &#8211; optional for Ubuntu 24.04 since it&#8217;s default. For old Ubuntu and other Linux with GRUB older than version 2.06 <code>luks2<\/code> is NOT support. GRUB 2.06 has initial support but with limitations. So for old Grub, use <code>--type luks1<\/code> instead.<\/li>\n<li><b><code>--hash sha256<\/code><\/b> &#8211; tell which hash function to use, also optional since <code>sha256<\/code> is default value.<\/li>\n<li><b><code>--pbkdf pbkdf2<\/code><\/b> &#8211; <b>required<\/b>, because Grub boot-loader so far does NOT support the default <code>Argon2id<\/code> mode, but only <code>pbkdf2<\/code>.<\/li>\n<\/ul>\n<p>After running the command, type YES in terminal output to confirm the operation. Then, type a password and confirm again (no visual feedback, just type in mind), the password will be used to un-lock your Ubuntu system while booting.<\/p>\n<p><b>NOTE: This command can take quite a few minutes! For laptop, plug-in the power supply and disable suspend in case of interruption!<\/b><\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46999\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key-700x456.webp\" alt=\"\" width=\"610\" height=\"397\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key-700x456.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key-300x195.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key-768x500.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/encrypt-add-key.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>For choice, you may add another password for backup or other use via command:<\/p>\n<pre>sudo cryptsetup luksAddKey --type luks2 --hash sha256 --pbkdf pbkdf2 \/dev\/sda4<\/pre>\n<p>(NOT tested) If you have separated <code>\/home<\/code> file partition and want to encrypt it, re-do the last commands to shrink to make room, and encrypt via <code>cryptsetup reencrypt<\/code> command.<\/p>\n<h3>Step 3. Configure Grub Bootloader &amp; Tell Ubuntu to unlock at boot<\/h3>\n<p>After encryption, you need to re-generate the Grub boot menu entry, and tell Ubuntu to unlock the root at every boot.<\/p>\n<p><strong>This step is also done in either the dual-boot Linux OS or live system booted from USB.<\/strong><\/p>\n<h4>1. Unlock Root file system<\/h4>\n<p>First, run the command below to unlock (\/dev\/sda4 now is encrypted container, rather than root partition):<\/p>\n<pre>sudo cryptsetup open \/dev\/sda4 sda4_crypt<\/pre>\n<p>This command will ask you the password (you set in last step) to unlock, then map the root filesystem to <code>\/dev\/mapper\/<b>sda4_crypt<\/b><\/code>. Change <b>sda4_crypt<\/b> with whatever name as you want, though you need to also replace it in all the commands below.<\/p>\n<p>Then, resize it to be maximized (you shrank it in last step):<\/p>\n<pre>sudo resize2fs \/dev\/mapper\/sda4_crypt<\/pre>\n<p>In the command, replace <code>sda4_crypt<\/code> if you used another name in the last command.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47000\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks-700x258.webp\" alt=\"\" width=\"610\" height=\"225\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks-700x258.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks-300x111.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks-768x283.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/unlock-luks.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<h4>2. Mount &amp; Chroot to the filesystem<\/h4>\n<p>Next, mount the root file-system, which is mapped to <code>\/dev\/mapper\/sda4_crypt<\/code> in my case, by running command:<\/p>\n<pre>sudo mount \/dev\/mapper\/sda4_crypt \/mnt<\/pre>\n<p>If there&#8217;s a separated <code>\/boot<\/code> partition (for example, \/dev\/sdaX), then mount it via:<\/p>\n<pre>sudo mount \/dev\/sdaX \/mnt\/boot<\/pre>\n<p>And, mount the \/boot\/efi (\/dev\/sda3 in my case) to the corresponding directory:<\/p>\n<pre>sudo mount \/dev\/sda3 \/mnt\/boot\/efi<\/pre>\n<p>Also, bind-mount pseudo filesystems:<\/p>\n<pre>sudo mount --rbind \/proc \/mnt\/proc<\/pre>\n<pre>sudo mount --rbind \/sys \/mnt\/sys<\/pre>\n<pre>sudo mount --rbind \/dev \/mnt\/dev<\/pre>\n<p>Finally, chroot into the root file-system, so you can operate just like remotely logged in.<\/p>\n<pre>sudo chroot \/mnt \/bin\/bash<\/pre>\n<p>After this command, you&#8217;ll find the terminal prompt changed to be &#8216;root@ubuntu:\/#&#8217;.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47001\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks-700x390.webp\" alt=\"\" width=\"610\" height=\"340\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks-700x390.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks-300x167.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks-768x428.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/mount-luks.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<h4>3. Configure Grub and Crypttab<\/h4>\n<p><b>The root UUID does NOT change after encrypted the root (and\/or \/home) system partition, but device name changed. The root is NO longer \/dev\/sda4 in my case, it&#8217;s now \/dev\/mapper\/sda4_crypt.<\/b><\/p>\n<p><b>If your have ever edited &#8216;\/etc\/fstab&#8217; to use device name (e.g., \/dev\/sdaX, \/dev\/nvme0nXpY) instead of UUID for mounting system partitions on boot, then you need to change them accordingly. If NOT, just skip and leave that file unchanged.<\/b><\/p>\n<p>In this chroot environment, run the command below to edit the grub config file:<\/p>\n<pre>nano \/etc\/default\/grub<\/pre>\n<p>Then, you need to add new line <b>GRUB_ENABLE_CRYPTODISK=y<\/b> to tell Grub to un-lock <code>\/boot<\/code> at every boot (<i>not required if <code>\/boot<\/code> partition is mounted in separated un-encrypted partition<\/i>), then press Ctrl+S to save and Ctrl+X to exit.<\/p>\n<p>If your Ubuntu has SELinux enabled (it&#8217;s usually disabled by default), then add <b>enforcing=0<\/b> kernel parameter as value of GRUB_CMDLINE_DEFAULT to tell it to work in permissive mode, or your Ubuntu may refuse to boot. You can then remove the kernel parameter after first boot of the encrypted Ubuntu system.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47002\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub-700x456.webp\" alt=\"\" width=\"610\" height=\"397\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub-700x456.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub-300x195.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub-768x500.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-defaultgrub.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>Then, edit the <code>\/etc\/crypttab<\/code> via command below:<\/p>\n<pre>nano \/etc\/crypttab<\/pre>\n<p>Then, add the line below to tell to unlock the encrypted container (specified by UUD) and map to <code>\/dev\/mapper\/sda4_crypt<\/code> on every boot.<\/p>\n<pre>sda4_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,tries=3<\/pre>\n<p>Here is the UUID of &#8216;\/dev\/sda4&#8217;. Run <code>udevadm info -q all -n \/dev\/sda4 |grep by-uuid<\/code> command in another terminal window (Ctrl+Alt+T) to tell, while <code>blkid<\/code> will output the incorrect one.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47003\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab-700x456.webp\" alt=\"\" width=\"610\" height=\"397\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab-700x456.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab-300x195.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab-768x500.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/luks-crypttab.webp 966w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>If there&#8217;s also separated <code>\/home<\/code> partition encrypted, add new line in the file:<\/p>\n<pre>sdaX_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,tries=3<\/pre>\n<p>In this line, replace the UUID according to <code>udevadm info -q all -n \/dev\/sdaX |grep by-uuid<\/code> command output in another terminal. Though, you need to replace <code>\/dev\/sdaX<\/code> according to where you <code>\/home<\/code> located.<\/p>\n<h4>4. Apply Changes<\/h4>\n<p>Also, in the chroot environment, re-install grub boot-loader via command:<\/p>\n<pre>grub-install --target=x86_64-efi --efi-directory=\/boot\/efi --boot-directory=\/boot\/efi\/EFI\/ubuntu --recheck<\/pre>\n<p>Here, the command options tell:<\/p>\n<ul>\n<li><code>--target=x86_64-efi<\/code> &#8211; install GRUB for amd64 (Intel\/AMD) platform. The value can also be <code>arm-efi<\/code>, <code>arm64-efi<\/code>, etc, depends on your CPU architecture type.<\/li>\n<li><code>--efi-directory=\/boot\/efi<\/code> &#8211; specify the EFI partition, it&#8217;s mounted to \/boot\/efi in last step.<\/li>\n<li><code>--boot-directory=\/boot\/efi\/EFI\/ubuntu<\/code> &#8211; Ubuntu by default set boot directory to <code>\/boot<\/code>. However, it&#8217;s encrypted in my case. So, use this one instead.<\/li>\n<li><code>--recheck<\/code> tells to delete the existing device map.<\/li>\n<\/ul>\n<p>Finally, update grub configuration via command:<\/p>\n<pre>grub-mkconfig -o \/boot\/efi\/EFI\/ubuntu\/grub\/grub.cfg<\/pre>\n<p><b>NOTE:<\/b> The <code>update-grub<\/code> command no long works here, since the command auto-generates <code>\/boot\/grub\/grub.cfg<\/code>. While <code>--boot-directory=<\/code> option in last command told to install the config file to \/boot\/efi\/EFI\/ubuntu which is un-encrypted.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47005\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub-700x580.webp\" alt=\"\" width=\"610\" height=\"505\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub-700x580.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub-300x248.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub-768x636.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/08\/regenerate-grub.webp 866w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>Also, you need to run the command below to regenerate initramfs images.<\/p>\n<pre>update-initramfs -c -k all<\/pre>\n<h4>Unmount and Reboot<\/h4>\n<p>When everything&#8217;s done well, exit the chroot environment by running command:<\/p>\n<pre>exit<\/pre>\n<p>Then, umount via following commands. For <code>--rbind<\/code> mount, you need to re-run mount command with <code>--make-slave<\/code> option to allow to recursively change the type of all the mounts. Or, it will refuse to umount and say busy.<\/p>\n<pre>sudo umount \/mnt\/boot\/efi<\/pre>\n<pre>sudo mount --make-slave \/mnt\/proc<\/pre>\n<pre>sudo umount -R \/mnt\/proc<\/pre>\n<pre>sudo mount --make-slave \/mnt\/sys<\/pre>\n<pre>sudo umount -R \/mnt\/sys<\/pre>\n<pre>sudo mount --make-slave \/mnt\/dev<\/pre>\n<pre>sudo umount -R \/mnt\/dev<\/pre>\n<p>And, close (lock) the encrypted partition:<\/p>\n<pre>sudo cryptsetup close sda4_crypt<\/pre>\n<p>Finally, shutdown the computer by running command:<\/p>\n<pre>shutdown -P now<\/pre>\n<p>To be simple, <strong>you may run the shutdown command directly after exit chroot,<\/strong> as it will automatically umount and close encrypted partition.<\/p>\n<p>Now, restart your computer to see the magic (or break your system\ud83d\ude05. It takes me quite a few hours to troubleshoot).<\/p>","protected":false},"excerpt":{"rendered":"<p>This is a step by step tutorial shows how to encrypt Ubuntu, while preserving its data, after you installed it on your computer. While installing Ubuntu 24.04, if you didn&#8217;t choose to use the entire disk, then there&#8217;s no graphical option to enable encryption. You can however manually encrypt the full Ubuntu system afterward. So, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":46965,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[2011,2039],"class_list":["post-46994","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-disk-encryption","tag-security"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=46994"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46994\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/46965"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=46994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=46994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=46994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}