LUKS partitioning in Ubuntu Linux 18.04 installer

September 6, 2019

^{Recently I looked into installation of Ubuntu 18.04 LTS, and whether it was possible to encrypt hard drive partitions as a function of the installation process. What my research turned up can most generally be termed as confusion. Some reports were that encryption was not supported natively, but that it was possible with external tools, or with UEFI but not BIOS, or with UEFI and LVM. Nowhere did I find basic steps for setting up LUKS partitions, as a function of the installer, without extra tools, advanced hardware requirements, or other perhaps undesirable constraints such as LVM. Having accomplished a LUKS partitioned drive nonetheless without any exotic requirements or constraints, I am laying out the process forthwith.}

^{Set up LUKS partitions in the old school way, without:}

• ^{UEFI (This process works fine on a BIOS controlled system)}
• ^{LVM (Not a requirement for old school LUKS partitions)}
• ^{External tools such as gparted or separate bootable USB keys}

^{From the Ubuntu 18.04 installation media, on the screen with the tempting checkbox for encryption, choose 'Something else'. This bypasses both LVM and the default Ubuntu encryption schema.}

^{I cannot stress it enough: If you are going to set your own partition and encryption parameters, you should do the appropriate research in advance. You should have an idea of correct size for swap space (generally recommended swap space size is twice the amount of RAM in the computer), and the sizes you will want for /home, root and boot partitions. The Ubuntu installer will warn of some errors (such as attempting to set up encrypted partitions but neglecting to encrypt the swap space) but such warnings are not comprehensive and do not take the place of sufficient advance research by the user.}

^{The next screen shows the available space on the target drive. If you have more than one hard drive installed, you will see a similar schema for each drive. Exercise due caution! When you partition a hard drive, you will lose all data on that drive. If you have more than one hard drive installed, you should be very certain which drive you are installing to, and be careful to leave the other drive or drives untouched. All instructions which follow apply only to the drive which is the target for installation.}

^{First, click on the free space and in the resulting window, set a size for your boot partition. This can be relatively small since it will contain only basic boot up software. This partition should have the mount point of /boot and should be unencrypted. Note that there are other possible configurations in which the /boot partition may require an external USB key for added security, but that configuration is beyond the scope of this article.}

^{After creating /boot, click on the free space remaining, and this time select a size for your swap partition. Note that you should NOT at this point define the partition you are creating as swap space. That is, YOU know that this partition will be used as swap space, but do not define it that way in the installer at this time. Instead, select 'Use as physical volume for encryption'.}

^{Do the same thing for the root and /home partitions. In all of these cases, select the size you have decided on for each partition, select 'Use as physical volume for encryption', do not define any partition specifically as /home, root, etc. All you are doing as this point is creating theoretical empty encrypted partitions. In the next steps you will define what those partitions will contain.}

^{Note in the illustration, there is a /boot partition (not encrypted) and three partitions of varying size with no designation as regards function or mount point. Note also that there is a corresponding encrypted partition for each of the (in this example) three empty encrypted partitions we created above.}

^{In the next step we define the swap, /home and root partitions, not by selecting the original partitions on the target drive, but rather by selecting the empty encrypted containers we created above. One at a time, define these partitions as swap, /home and root, as seen in the illustration.}

^{When we are finished defining partitions and setting mount points, we can see that the /boot partition and three empty partitions are planned for the target drive. The three empty partitions correspond to three encrypted volumes which contain the mount points for swap, root and /home.}

^{If everything is defined as desired, selecting 'Install now' will bring up a confirmation screen indicating proposed changes to the target drive.}

^{Notes, problems and distractions:}

^{The installer is not foolproof. It will let you make illegal selections such as making the swap space, /boot partition, etc. too small. Only after you have selected 'Install now' will you be warned of the illegal condition. In this case it is highly recommended that you reboot the computer and begin from scratch rather that attempting repair the partitions you defined.}

^{Appropriate advance research regarding partition sizes can minimize installation frustration, and having to re-run the installer multiple times.}

^{When in doubt, make a partition bigger than you otherwise would. For example, if your root partition is too small you may find yourself short on space for application software once the system is in regular use. Resizing any partition after the fact is always dangerous and inconvenient, doubly so with an encrypted partition. Allocating more space for a partition than you can ever imagine needing eliminates this problem entirely or at minimum pushes it far into the future.}

^{This set up schema will require two passphrases (to unlock the root and /home partitions separately) when the systems starts up. With a little creativity, you can use this to your advantage to increase overall security. Consider the two passphrases 'and secure the ble' and 'ssings of liberty'. Both passphrases, being related are easier to remember, but both contain constructions which are unlikely to be used in any dictionary based hack attempt (note that the swap partition, while encrypted with a passphrase as above, will not require a passphrase to unlock when the system boots).}

^{If inclined, you can boot your system with an external tool such as System Rescue CD and confirm that LUKS encrypted partitions exist on the target drive.}

^{Happy and secure computing!}

^{Share this on witter or acebook.}