Nov 13, 2022

Dual Boot Windows and Ubuntu with Full Disk Encryption

Credit: https://askubuntu.com/questions/918021/encrypted-custom-install/918030

Credit: https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html

While running a hypervisor on virtualization technologies seems more and more possible, Proxmox does not really support Wi-Fi and Qubes has very strict hardware requirement so I guess the best way to run both Windows and Ubuntu on a personal computer is still to dual boot.

Install Windows 11 Pro

Windows is relatively straightforward to install: just remember to leave half of the disk to Ubuntu when partitioning.

Install Ubuntu

Now comes the hard part. Boot into Ubuntu and select 'Try it'.

Partition

We need an unencrypted /boot partition (around 1GB) and an encrypted root partition.

I use Disks in Ubuntu to partition the free space into one 1GB part (nvme0n1p5) and one other part (nvme0n1p6). I think many tools are available (fdisk, etc.) and you can choose the one you like.

Setup Encryption

Encrypt our disk and call it CryptDisk:

sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p6 sudo cryptsetup luksOpen /dev/nvme0n1p6 CryptDisk

Setup LVM and call it vg0:

sudo pvcreate /dev/mapper/CryptDisk sudo vgcreate vg0 /dev/mapper/CryptDisk # swap size is adjustable (usu. 2x memory) sudo lvcreate -n swap -L 32G vg0 sudo lvcreate -n root -l +100%FREE vg0

Install

Install the OS. Select "Something else" when asked how to install. Use /dev/mapper/vg0-root as Ext4 and mount to /. Use /dev/mapper/vg0-swap as swap. Use /nvme0n1/nvme0n1p5 as Ext4 and mount to /boot.

Setup the loader

Select 'Keep Testing' and setup the loader:

sudo blkid | grep LUKS

Remember the UUID (something like bd3b598d-88fc-476e-92bb-e4363c98f81d).

sudo mount /dev/vg0/root /target sudo mount /dev/nvme0n1p5 /target/boot for n in proc sys dev etc/resolv.conf; do sudo mount --rbind /$n /target/$n; done sudo chroot /target mount -a

Edit /etc/crypttab Inside chroot, replacing the UUID with your own:

CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard

Update the setting:

update-initramfs -k all -c update-grub

Setup Grub

Restart, and configure the BIOS to get you into Ubuntu.

Edit and add this to /etc/default/grub:

GRUB_TIMEOUT=-1 GRUB_DISABLE_OS_PROBER=false

Run

update-grub

And it should detect Windows.

Setup Bitlocker

Enable Bitlocker in Windows 11 Pro.

Use Win+R to run gpedit.msc and open the Group Policy Editor.

Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup and enable it.

Add a PIN in the Bitlocker settings.

Do keep a copy of the recovery code! Ubuntu updates can break Windows Bitlocker and files may be lost if you do not have the code!

Fix Grub

Sometimes Ubuntu and/or Windows updates break Grub. Here is a quick script that reinstalls Grub:

sudo mkdir /target sudo mount /dev/vg0/root /target sudo mount /dev/nvme0n1p5 /target/boot for n in proc sys dev etc/resolv.conf; do sudo mount --rbind /$n /target/$n; done sudo chroot /target mount -a grub-install update-initramfs -k all -c update-grub