How to Encrypt An Existing Ubuntu 24.04 System
This is a step by step tutorial shows how to encrypt Ubuntu, while preserving its data, after you installed it on your computer.
While installing Ubuntu 24.04, if you didn’t choose to use the entire disk, then there’s no graphical option to enable encryption. You can however manually encrypt the full Ubuntu system afterward.
So, on every boot of the Ubuntu system, it asks to input password to unlock boot entry (if /boot
also encrypted) and disk partition before user being able to login.
This tutorial is tested in Ubuntu 24.04 LTS with default Grub boot-loader. The system setup include:
- Secure boot: disabled. Not sure if it required.
/boot/efi
on separated/dev/sda3
partition.- all other system files (including /boot, /home, swap area) on single Ext4 /dev/sda4 partition.
It should also work if you have separated /boot
, /home
, and swap. But for non-Ext4 file system.
NOTE: The encryption process in this tutorial MAY BREAK YOUR SYSTEM!!! Don’t do it on production machine, unless you know how to restore.
Step 1: Preparation
Before getting started, it’s always recommend to backup, backup, and backup! Back your important data, because any mis-configuration and hardware interrupt can break your system!
1. First, boot and log into Ubuntu 24.04. Then, press Ctrl+Alt+T
to open up a terminal window. When it opens, run command:
df -h
The command will help to find out the root partition mount on /, where the bootloader installed to, and separated partitions for /boot
and /home
if any.
In my case (see the screenshot below), I have only /dev/sda4 for root, and /dev/sda3 for /boot/efi boot-loader. For NVMe SSD, the device names will be like /dev/nvmeXnYpX (e.g., /dev/nvme0n1p3).
You need to write them done or remember them (including separated /home /boot if exist) for later use.
2. Then, install the required cryptsetup
package by running command:
sudo apt install cryptsetup
Also, check if SELinux is enabled by running the command below in terminal:
sudo apt install policycoreutils && sestatus
Step 2: Boot another Linux OS (or LiveUSB) in the computer
To encrypt Ubuntu, you need to un-mount the file-system first. Meaning, you need to boot the computer with another Linux OS for doing the encryption process.
If you have a dual-boot Linux system installed on the computer, just reboot into it. If NOT, create a boot-able USB installer for e.g., Ubuntu, Mint, Debian, then boot the live system from USB.
Step 3: Encrypt your Ubuntu System
Once you boot into the live system, close the installer wizard to get into live desktop.
Then, identify the Ubuntu 24.04 root partition, /boot/efi (and separated /home /boot if exist), either by launching GNOME Disks (available in Linux, Ubuntu, and other Linux with GNOME) or by mounting and checking in the file manager.
In my case, they are “/dev/sda4” (root) and “/dev/sda3” (/boot/efi). Replace them to yours in all the commands below!
1. Shrink to make some room for LUKS header
If mounted manually, unmount all the disk partitions. Then, open terminal (Ctrl+Alt+T) and run command:
sudo e2fsck -f /dev/sda4
This command forces to check the Ubuntu file system, which is required before being able to shrink it. Replace /dev/sda4 to yours Ubuntu root.
Next, shrink the Ubuntu file-system to be a bit smaller, so there’s required space for LUKS header:
sudo resize2fs /dev/sda4 91G
Replace /dev/sda4
and 91G (a bit smaller than 92G in my case) according to what you got in “Step 1: Preparation”.
2. Encrypt the Ubuntu partition
Once you have enough free space (32M at least) for the LUKS header, run the command below to encrypt the Ubuntu root file system:
sudo cryptsetup reencrypt --encrypt --type luks2 --hash sha256 --pbkdf pbkdf2 --reduce-device-size 32M /dev/sda4
Also, replace /dev/sda4
to yours Ubuntu root partition, and here are the description for command options:
--type luks2
– optional for Ubuntu 24.04 since it’s default. For old Ubuntu and other Linux with GRUB old than version 2.06luks2
is NOT support. GRUB 2.06 has initial support but with limitations. So for old Grub, use--type luks1
instead.--hash sha256
– tell which hash function to use, also optional sincesha256
is default value.--pbkdf pbkdf2
– required, because Grub boot-loader so far does NOT support the defaultArgon2id
mode, but onlypbkdf2
.
After running the command, type YES in terminal output to confirm the operation. Then, type a password and confirm again (no visual feedback, just type in mind), the password will be used to un-lock your Ubuntu system while booting.
NOTE: This command can take quite a few minutes! For laptop, plug-in the power supply and disable suspend in case of interruption!
For choice, you may add another password for backup or other use via command:
sudo cryptsetup luksAddKey --type luks2 --hash sha256 --pbkdf pbkdf2 /dev/sda4
(NOT tested) If you have separated /home
file partition and want to encrypt it, re-do the last commands to shrink to make room, and encrypt via cryptsetup reencrypt
command.
Step 3. Configure Grub Bootloader & Tell Ubuntu to unlock at boot
After encryption, you need to re-generate the Grub boot menu entry, and tell Ubuntu to unlock the root at every boot.
This step is also done in either the dual-boot Linux OS or live system booted from USB.
1. Unlock Root file system
First, run the command below to unlock (/dev/sda4 now is encrypted container, rather root partition):
sudo cryptsetup open /dev/sda4 sda4_crypt
This command will ask you the password (you set in last step) to unlock, then map the root filesystem to /dev/mapper/sda4_crypt
. Change sda4_crypt with whatever name as you want, though you need to also replace it in all the commands below.
Then, resize it to be maximized (you shrank it in last step):
sudo resize2fs /dev/mapper/sda4_crypt
In the command, replace sda4_crypt
according to the last command.
2. Mount & Chroot to the filesystem
Next, mount the root file-system, which is mapped to /dev/mapper/sda4_crypt
in my case, by running command:
sudo mount /dev/mapper/sda4_crypt /mnt
If there’s a separated /boot
partition (for example, /dev/sdaX), then mount it via:
sudo mount /dev/sdaX /mnt/boot
And, mount the /boot/efi (/dev/sda3 in my case) to the corresponding directory:
sudo mount /dev/sda3 /mnt/boot/efi
Also, bind-mount pseudo filesystems:
sudo mount --rbind /proc /mnt/proc
sudo mount --rbind /sys /mnt/sys
sudo mount --rbint /dev /mnt/dev
Finally, chroot into the root file-system, so you can operate just like remotely logged in.
sudo chroot /mnt /bin/bash
After this command, you’ll find the terminal prompt changed to be ‘root@ubuntu:/#’.
3. Configure Grub and Crypttab
In this chroot environment, run the command below to edit the grub config file:
nano /etc/default/grub
When file opens, add new line GRUB_ENABLE_CRYPTODISK=y, then press Ctrl+S to save and Ctrl+X to exit.
This step is NOT required if you have separated /boot
partition that’s NOT encrypted.
Then, edit the /etc/crypttab
via command below:
nano /etc/crypttab
Then, add the line below to tell to unlock the encrypted container (specified by UUD) and map to /dev/mapper/sda4_crypt
on every boot.
sda4_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,retries=3
Here is the UUID of ‘/dev/sda4’. Run udevadm info -q all -n /dev/sda4 |grep by-uuid
command in another terminal window (Ctrl+Alt+T) to tell, while blkid
will output the incorrect one.
If there’s also separated /home
partition encrypted, add new line in the file:
sdaX_crypt UUID=xxxxx-xxx-xxx-xxx-xxxx none luks,retries=3
In this line, replace the UUID according to udevadm info -q all -n /dev/sdaX |grep by-uuid
command output in another terminal. Though, you need to replace /dev/sdaX
accordingly.
Finally, edit the /etc/fstab
via command:
nano /etc/fstab
Usually NOT required, since the root file-system UUID didn’t change, though the root partition name changed from “/dev/sda4” (it’s now encrypted container) to “/dev/mapper/sda4_crypt” in my case.
Just in case, run udevadm info -q all -n /dev/mapper/sda4_crypt |grep by-uuid
to tell the root UUID, and identify with the one in /etc/fstab
.
4. Apply Changes
Also, in the chroot environment, re-install grub boot-loader via command:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot/efi/EFI/ubuntu --recheck
Here, the command options tell:
--target=x86_64-efi
– install GRUB for amd64 (Intel/AMD) platform. The value can also bearm-efi
,arm64-efi
, etc, depends on your CPU architecture.--efi-directory=/boot/efi
– specify the EFI partition, it’s mounted to /boot/efi in last step.--boot-directory=/boot/efi/EFI/ubuntu
– Ubuntu by default set boot directory to/boot
. However, it’s encrypted in my case. So, use this one instead.--recheck
tells to delete the existing device map.
Finally, update grub configuration via command:
grub-mkconfig -o /boot/efi/EFI/ubuntu/grub/grub.cfg
NOTE: The update-grub
command no long works here, since the command auto-generates /boot/grub/grub.cfg
. While --boot-directory=
option in last command telled to install the config file to /boot/efi/EFI/ubuntu which is un-encrypted.
Also, you need to run the command below to regenerate initramfs images
update-initramfs -c -k all
Unmount and Reboot
When everything’s done well, exit the chroot environment by running command:
exit
Then, umount via following commands. For --rbind
mount, you need to re-run mount command with --make-slave
option to allow to recursively change the type of all the mounts. Or, it will refuse to umount and say busy.
sudo umount /mnt/boot/efi
sudo mount --make-slave /mnt/proc
sudo umount -R /mnt/proc
sudo mount --make-slave /mnt/sys
sudo umount -R /mnt/sys
sudo mount --make-slave /mnt/dev
sudo umount -R /mnt/dev
And, close (lock) the encrypted partition:
sudo cryptsetup close sda4_crypt
Finally, shutdown the computer by running command:
shutdown -P now
For lazy man, you may run the shutdown command directly after exit chroot, as it will automatically umount and close encrypted partition.
Now, restart your computer to see the magic (or break your system. It takes me quite a few hours to troubleshoot).
Source: UbuntuHandbook