Ubuntu full-disk encrypted, alongside MacOSX

If you, like me, prefer to use Ubuntu on any hardware you use, and want it completely encrypted, this is for you.

These are instructions on how to install Ubuntu 14.04 or later with full disk encryption, alongside MacOSX on a MacBook Pro.

This has been specifically tested on a MacBook Pro 10,1 (mid 2012) with the following OS combinations:

  • Ubuntu GNOME 15.10 (Wily), alongside OSX 10.11 (El Capitan)
  • Ubuntu 14.10 (Utopic), alongside OSX 10.10 (Yosemite)
  • Ubuntu 14.10 (Utopic), alongside OSX 10.9 (Mavericks)
  • Ubuntu 14.04 LTS (Trusty), alongside OSX 10.10 (Yosemite)
  • Ubuntu 14.04 LTS (Trusty), alongside OSX 10.9 (Mavericks)

It should work the same on many more Apple computers and OS versions.

With much help from this: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1237556

Preparations in OSX

Boot up your existing OSX and run Disk Utility.

Resize your existing OSX partition to make room for Ubuntu. Leave as much space as you want for Ubuntu, including your RAM size for swap. Remember that OSX counts gigabytes the way hard drive manufacturers do, and I and Ubuntu count the way computers do :) So make up to 10 % more room than it looks like you’ll get, to be on the safe side.

Encrypt OSX (recommended)

If you want your shrunken OSX partition encrypted too, do that now with File Vault in System Preferences. If you try it after having installed Ubuntu alongside, File Vault will probably not let you. Let it finish encrypting and optimizing. Then reboot to check that everything is in order so far.

Create bootable USB

Create an Ubuntu install USB using a 64bit image of your choice. Official instructions: How to create a bootable USB stick on OS X. Most Ubuntu images can be downloaded from cdimage.ubuntu.com. I prefer the latest release of Ubuntu GNOME.

Preparations in Ubuntu

Boot up the Ubuntu install USB.

Start gparted and create one small partition with ext4 labelled /boot. Create another large one, for encryption.

Lets say the boot partition happens to be /dev/sda4 and the large encryption partition is /dev/sda5.

In a terminal, issue these commands:

sudo cryptsetup luksFormat /dev/sda5
sudo cryptsetup luksOpen /dev/sda5 the_encrypted_stuff

sudo pvcreate /dev/mapper/the_encrypted_stuff
sudo vgcreate VG-encrypted /dev/mapper/the_encrypted_stuff

sudo lvcreate --name LV-swap --size 16G VG-encrypted # Or however much RAM you have

sudo vgdisplay VG-encrypted # Take note of available number of free extents
sudo lvcreate --name LV-root --extents ... VG-encrypted # Using number of free extents instead of ...


Start the installer.

When it asks about erasing installations, installing alongside, or something else, choose “Something else”.

Use /dev/sda4 for /boot, the encrypted LV-root for /, and the encrypted LV-swap for swap.

When the installation is finished, DO NOT CLICK Continue, and DO NOT CLICK Reboot!

Fix boot


In a terminal, issue these commands:

sudo blkid | grep ^/dev/sda5 # Take note of the UUID="..." string

for i in /dev /dev/pts /proc /sys /run; do sudo mount -B $i /target$i; done
sudo chroot /target

echo the_encrypted_stuff UUID=... none luks > /etc/crypttab # Using the UUID from above instead of ...
update-initramfs -u -k all
lsinitramfs /boot/initrd* | grep cryptsetup

You should see that cryptsetup is indeed included in the initrd image you just built.

Leave the chroot:



To enable dual-boot, you can install refind:

sudo apt-add-repository ppa:rodsmith/refind
sudo apt-get update
sudo apt-get install -y efibootmgr refind

This should get your hard drive (SSD?!) set up for letting you choose operating system on boot.


Go ahead; reboot and enjoy!

You might want to check out my ubuntu-install-scripts to get off to a running start, once you’re inside your new Ubuntu installation.

This Post Has 21 Comments

  1. Mark

    Awesome post Hugo, massively valuable!

  2. Kevin

    Your guide looks comprehensive and I’m anxious to try it out but I was thwarted at the first step, preparing OSX. My installation uses LVM it seems so disk utility is not capable or resizing it for me.

    Do you have an alternative suggestion?


    1. Hugo Josefson

      Hi Kevin!

      I have found that the only way I can make this work reliably, is to start with a disk with only OSX installed. So no Ubuntu partition or anything else.

      Try backing up all your data, then reinstall OSX by completely wiping the disk (all partitions!), then installing OSX on the entire disk with default options. Then you should be able to follow this guide.

      Hope this helps.


  3. niko

    hi hugo,

    thanks for the comprehensive guide, i’m just having one problem — after following the whole process and booting linux for the first time, i’m not asked to set an encryption password but instead presented with the normal password prompt. i have double-checked my crypttab file and it has the “none” parameter as third field. using mint instead of ubuntu, might that play a role?

    any ideas on how to fix this? if i were to generate a key through the live usb, how would i do that and where would i put it?


    1. Hugo Josefson

      Hi Niko!

      Thank you for trying this out!

      By “booting linux for the first time, i’m not asked to set an encryption password”, I think you mean you are not asked the encryption password you set earlier in the installation process(?)

      I’m not exactly sure what the issue is, but worth to note is that “none” in /etc/crypttab is completely expected. See http://linux.die.net/man/5/crypttab :

      “The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password.”

      If I were you, I would try to do the complete installation process using one of the exact versions I have tried, especially Ubuntu GNOME 15.10, just to make sure the issue is not with any difference between the variant / version you are using: http://cdimage.ubuntu.com/ubuntu-gnome/releases/15.10/release/

      On the question of creating a key, I’m not sure what you are asking for. Keep in mind that it’s one of the sudo cryptsetup commands I have listed, which will ask you to create a passphrase for the encryption. That passphrase is what you will be asked when booting the OS after completing all instructions.

      Hope this helps!


  4. Carla

    Hi Hugo,
    After the two first commands with cryptsetup I have the warning “Device /dev/sda5 is not a Luks Device”

    Is that a dependency with some libraries?

    Thanks for your helpūüėä

    1. Hugo Josefson

      Hi Carla,

      I just tried this with Ubuntu GNOME 16.04 in a virtual machine, and did not get a warning.

      Are you sure the luksFormat command was used on the correct partition, and that it succeeded before you continued with luksOpen? The first command should make the partition into a Luks device. If the partition is not /dev/sda5, you should not use /dev/sda5, but instead the correct partition number that you can see in gparted when you partition the disk.

      Hope this helps!


  5. Ben

    The command:

    for i in /dev /dev/pts /proc /sys /run; do sudo mount -B $i /target$i; done

    gives me the response:

    mount: mount point /target/dev does not exist
    mount: mount point /target/dev/pts does not exist
    mount: mount point /target/proc does not exist
    mount: mount point /target/sys does not exist
    mount: mount point /target/run does not exist

    I had faithfully followed your guide with no problems up to that point, but cannot progress :(

    1. Hugo Josefson

      Hi Ben,

      Thanks for your feedback!

      What specific version and variant of Ubuntu are you installing?

      Unfortunately, the only reasons I can see for getting that error message are either:

      1. Using a version or variant of Ubuntu which behaves differently than the ones I have tried; or
      2. Accidentally clicking Continue in the previous step which said not to click Continue.

      Best regards,

  6. Martin

    Just ran through this guide to install ubuntu 16.04 LTS on my macbook, very useful.
    One small issue I had concerned this line
    echo the_encrypted_stuff UUID=... none luks > /etc/crypttab # Using the UUID from above instead of ...

    > should be >

    1. Hugo Josefson

      Hi Martin,

      Thanks for catching that!

      I fixed it now :)


  7. Ryo Onodera

    Hi! Thanks for great tutorial! Certainly this is a missing piece for Ubuntu installer. I’ve reached your article via googling.

    After some research, I’ve also found the corresponding ubiquity’s bug: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1514120

    I’ve cross-posted there too mentioning this article!

    Hope, this is officially supported..

  8. Tobias

    Hi all,

    will I crash this setup after a upgrade from 16.10 to future 17.04 ?
    ATM I am running it on a MacbookAir 2016.

    Thanks for the nice tutorial.

  9. Harry

    Hi Hugo,

    This is a very helpful guide. I’m going to give it a try. One question:
    After making a 250GB partition (Mac journaled) named ‘Ubuntu’ in Mac OS Disk Utility, then booting from the USB and using GParted, the ‘Ubuntu’ partition is shown. Could you clarify how/where to create the small ext4 ‘/boot’ and large encrypted partition, as there is no unallocated space and the ‘Ubuntu’ partition doesn’t seem to be able to partitioned again into the /boot and large partition.

    Thank you


  10. Anonymous

    Just tried this with High Sierra and the new Apple File System alongside Ubuntu 16.04.3 and it works well – with the most recent version of Refind.

  11. Anon

    Just did this with Kubuntu 18.04 and it still works a treat! Thank you so much!

    Just to add that instead of heeding the advice “When the installation is finished, DO NOT CLICK Continue, and DO NOT CLICK Reboot!”, I went ahead and clicked “Continue trying Kubuntu” (or something towards that end), which meant that the final section indeed did not work and I had to start from scratch, reinstalling MacOS from apple’s Recovery Mode.

    I also think you now need to disable SIP (System Integrity Protection) before running rEFInd, by going into Recovery Mode and then at the terminal running:
    csrutil disable

    Thank you so much!

  12. AG

    This was so incredibly helpful. Thank you so much for this writeup. I’ll be glad to send you a small donation if y’all take that sort of thing. :-)

    1. Hugo Josefson

      Hey Aaron! Donations are… not really why we set up this blog :) But thanks for the vote of confidence! Glad this could be of some help to you. Other things we do are here, if you’re interested: https://www.jayway.com/whatwedo

  13. Studley

    November 2020

    Confirmed working with:
    MacBook Pro 15 Late 2013
    OSX Catalina on encrypted APFS
    Ubuntu 12.10
    Refind 11.5

    Thanks heaps for the guide!

    1. Jeremy

      Why would you need Ubuntu 12.10 lol

  14. Jeremy

    Does this work with Ubuntu 20.04? ……….?

Leave a Reply