Nov 13, 2022

Dual Boot Windows and Ubuntu with Full Disk Encryption



While running a hypervisor on virtualization technologies seems more and more possible, Proxmox does not really support Wi-Fi and Qubes has very strict hardware requirement so I guess the best way to run both Windows and Ubuntu on a personal computer is still to dual boot.

Install Windows 11 Pro

Windows is relatively straightforward to install: just remember to leave half of the disk to Ubuntu when partitioning.

Install Ubuntu

Now comes the hard part. Boot into Ubuntu and select 'Try it'.


We need an unencrypted /boot partition (around 1GB) and an encrypted root partition.

I use Disks in Ubuntu to partition the free space into one 1GB part (nvme0n1p5) and one other part (nvme0n1p6). I think many tools are available (fdisk, etc.) and you can choose the one you like.

Setup Encryption

Encrypt our disk and call it CryptDisk:

sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p6 sudo cryptsetup luksOpen /dev/nvme0n1p6 CryptDisk

Setup LVM and call it vg0:

sudo pvcreate /dev/mapper/CryptDisk sudo vgcreate vg0 /dev/mapper/CryptDisk # swap size is adjustable (usu. 2x memory) sudo lvcreate -n swap -L 32G vg0 sudo lvcreate -n root -l +100%FREE vg0


Install the OS. Select "Something else" when asked how to install. Use /dev/mapper/vg0-root as Ext4 and mount to /. Use /dev/mapper/vg0-swap as swap. Use /nvme0n1/nvme0n1p5 as Ext4 and mount to /boot.

Setup the loader

Select 'Keep Testing' and setup the loader:

sudo blkid | grep LUKS

Remember the UUID (something like bd3b598d-88fc-476e-92bb-e4363c98f81d).

sudo mount /dev/vg0/root /target sudo mount /dev/nvme0n1p5 /target/boot for n in proc sys dev etc/resolv.conf; do sudo mount --rbind /$n /target/$n; done sudo chroot /target mount -a

Edit /etc/crypttab Inside chroot, replacing the UUID with your own:

CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard

Update the setting:

update-initramfs -k all -c update-grub

Setup Grub

Restart, and configure the BIOS to get you into Ubuntu.

Edit and add this to /etc/default/grub:




And it should detect Windows.

Setup Bitlocker

Enable Bitlocker in Windows 11 Pro.

Use Win+R to run gpedit.msc and open the Group Policy Editor.

Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup and enable it.

Add a PIN in the Bitlocker settings.

Do keep a copy of the recovery code! Ubuntu updates can break Windows Bitlocker and files may be lost if you do not have the code!

Fix Grub

Sometimes Ubuntu and/or Windows updates break Grub. Here is a quick script that reinstalls Grub:

sudo mkdir /target sudo mount /dev/vg0/root /target sudo mount /dev/nvme0n1p5 /target/boot for n in proc sys dev etc/resolv.conf; do sudo mount --rbind /$n /target/$n; done sudo chroot /target mount -a grub-install update-initramfs -k all -c update-grub