Ubuntu full-disk encrypted, alongside MacOSX

If you, like me, prefer to use Ubuntu on any hardware you use, and want it completely encrypted, this is for you.

These are instructions on how to install Ubuntu 14.04 or later with full disk encryption, alongside MacOSX on a MacBook Pro.

This has been specifically tested on a MacBook Pro 10,1 (mid 2012) with the following OS combinations:

  • Ubuntu GNOME 15.10 (Wily), alongside OSX 10.11 (El Capitan)
  • Ubuntu 14.10 (Utopic), alongside OSX 10.10 (Yosemite)
  • Ubuntu 14.10 (Utopic), alongside OSX 10.9 (Mavericks)
  • Ubuntu 14.04 LTS (Trusty), alongside OSX 10.10 (Yosemite)
  • Ubuntu 14.04 LTS (Trusty), alongside OSX 10.9 (Mavericks)

It should work the same on many more Apple computers and OS versions.

With much help from this: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1237556

Preparations in OSX

Boot up your existing OSX and run Disk Utility.

Resize your existing OSX partition to make room for Ubuntu. Leave as much space as you want for Ubuntu, including your RAM size for swap. Remember that OSX counts gigabytes the way hard drive manufacturers do, and I and Ubuntu count the way computers do :) So make up to 10 % more room than it looks like you’ll get, to be on the safe side.

Encrypt OSX (recommended)

If you want your shrunken OSX partition encrypted too, do that now with File Vault in System Preferences. If you try it after having installed Ubuntu alongside, File Vault will probably not let you. Let it finish encrypting and optimizing. Then reboot to check that everything is in order so far.

Create bootable USB

Create an Ubuntu install USB using a 64bit image of your choice. Official instructions: How to create a bootable USB stick on OS X. Most Ubuntu images can be downloaded from cdimage.ubuntu.com. I prefer the latest release of Ubuntu GNOME.

Preparations in Ubuntu

Boot up the Ubuntu install USB.

Start gparted and create one small partition with ext4 labelled /boot. Create another large one, for encryption.

Lets say the boot partition happens to be /dev/sda4 and the large encryption partition is /dev/sda5.

In a terminal, issue these commands:

Install

Start the installer.

When it asks about erasing installations, installing alongside, or something else, choose “Something else”.

Use /dev/sda4 for /boot, the encrypted LV-root for /, and the encrypted LV-swap for swap.

When the installation is finished, DO NOT CLICK Continue, and DO NOT CLICK Reboot!

Fix boot

cryptsetup

In a terminal, issue these commands:

You should see that cryptsetup is indeed included in the initrd image you just built.

Leave the chroot:

refind

To enable dual-boot, you can install refind:

This should get your hard drive (SSD?!) set up for letting you choose operating system on boot.

Done!

Go ahead; reboot and enjoy!

You might want to check out my ubuntu-install-scripts to get off to a running start, once you’re inside your new Ubuntu installation.

14 Comments

  1. Mark

    Awesome post Hugo, massively valuable!

  2. Kevin

    Your guide looks comprehensive and I’m anxious to try it out but I was thwarted at the first step, preparing OSX. My installation uses LVM it seems so disk utility is not capable or resizing it for me.

    Do you have an alternative suggestion?

    Thanks

    • Hi Kevin!

      I have found that the only way I can make this work reliably, is to start with a disk with only OSX installed. So no Ubuntu partition or anything else.

      Try backing up all your data, then reinstall OSX by completely wiping the disk (all partitions!), then installing OSX on the entire disk with default options. Then you should be able to follow this guide.

      Hope this helps.

      Thanks,
      Hugo

  3. niko

    hi hugo,

    thanks for the comprehensive guide, i’m just having one problem — after following the whole process and booting linux for the first time, i’m not asked to set an encryption password but instead presented with the normal password prompt. i have double-checked my crypttab file and it has the “none” parameter as third field. using mint instead of ubuntu, might that play a role?

    any ideas on how to fix this? if i were to generate a key through the live usb, how would i do that and where would i put it?

    thanks
    niko

    • Hi Niko!

      Thank you for trying this out!

      By “booting linux for the first time, i’m not asked to set an encryption password”, I think you mean you are not asked the encryption password you set earlier in the installation process(?)

      I’m not exactly sure what the issue is, but worth to note is that “none” in /etc/crypttab is completely expected. See http://linux.die.net/man/5/crypttab :

      “The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password.”

      If I were you, I would try to do the complete installation process using one of the exact versions I have tried, especially Ubuntu GNOME 15.10, just to make sure the issue is not with any difference between the variant / version you are using: http://cdimage.ubuntu.com/ubuntu-gnome/releases/15.10/release/

      On the question of creating a key, I’m not sure what you are asking for. Keep in mind that it’s one of the sudo cryptsetup commands I have listed, which will ask you to create a passphrase for the encryption. That passphrase is what you will be asked when booting the OS after completing all instructions.

      Hope this helps!

      Thanks,
      Hugo

  4. Carla

    Hi Hugo,
    After the two first commands with cryptsetup I have the warning “Device /dev/sda5 is not a Luks Device”

    Is that a dependency with some libraries?

    Thanks for your helpūüėä

    • Hi Carla,

      I just tried this with Ubuntu GNOME 16.04 in a virtual machine, and did not get a warning.

      Are you sure the luksFormat command was used on the correct partition, and that it succeeded before you continued with luksOpen? The first command should make the partition into a Luks device. If the partition is not /dev/sda5, you should not use /dev/sda5, but instead the correct partition number that you can see in gparted when you partition the disk.

      Hope this helps!

      /Hugo

  5. Ben

    The command:

    for i in /dev /dev/pts /proc /sys /run; do sudo mount -B $i /target$i; done

    gives me the response:

    mount: mount point /target/dev does not exist
    mount: mount point /target/dev/pts does not exist
    mount: mount point /target/proc does not exist
    mount: mount point /target/sys does not exist
    mount: mount point /target/run does not exist

    I had faithfully followed your guide with no problems up to that point, but cannot progress :(

    • Hi Ben,

      Thanks for your feedback!

      What specific version and variant of Ubuntu are you installing?

      Unfortunately, the only reasons I can see for getting that error message are either:

      1. Using a version or variant of Ubuntu which behaves differently than the ones I have tried; or
      2. Accidentally clicking Continue in the previous step which said not to click Continue.

      Best regards,
      Hugo

  6. Martin

    Just ran through this guide to install ubuntu 16.04 LTS on my macbook, very useful.
    One small issue I had concerned this line
    echo the_encrypted_stuff UUID=... none luks > /etc/crypttab # Using the UUID from above instead of ...

    > should be >

  7. Ryo Onodera

    Hi! Thanks for great tutorial! Certainly this is a missing piece for Ubuntu installer. I’ve reached your article via googling.

    After some research, I’ve also found the corresponding ubiquity’s bug: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1514120

    I’ve cross-posted there too mentioning this article!

    Hope, this is officially supported..

  8. Tobias

    Hi all,

    will I crash this setup after a upgrade from 16.10 to future 17.04 ?
    ATM I am running it on a MacbookAir 2016.

    Thanks for the nice tutorial.

  9. Harry

    Hi Hugo,

    This is a very helpful guide. I’m going to give it a try. One question:
    After making a 250GB partition (Mac journaled) named ‘Ubuntu’ in Mac OS Disk Utility, then booting from the USB and using GParted, the ‘Ubuntu’ partition is shown. Could you clarify how/where to create the small ext4 ‘/boot’ and large encrypted partition, as there is no unallocated space and the ‘Ubuntu’ partition doesn’t seem to be able to partitioned again into the /boot and large partition.

    Thank you

    Harry

Leave a Reply