Setup an encrypted disk for use with UEFI and Ubuntu

Submitted by olaf on 2018-04-22

Current systems may boot with UEFI enabled, instead of BIOS legacy mode. Most of the setup information is taken from Arch Linux - EFI System Partition

Preparing the disk for such a system is straight forward. You still need an unencrypted /boot partition, and another partition containing the encrypted LVM.

UEFI needs another partition to boot, where the boot loader is stored. All this is stored on a disk with a GUID Partition Table (GPT), the old style BIOS MBR isn’t used anymore.

To do this, you create an EFI system partition of about 256 MiB. This is the recommended minimum size, even though only a few hundred KiB are used. Next you create a Linux /boot partition, and finally allocate the remaining space for the encrypted LVM.

You can see the result with

fdisk -l /dev/sdc

which gives

Disk /dev/sdc: 931,5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E30A04A3-8EB5-4AF4-BCBE-D5711DC7D787

Device       Start        End    Sectors   Size Type
/dev/sdc1     2048     526335     524288   256M EFI System
/dev/sdc2   526336    1574911    1048576   512M Linux filesystem
/dev/sdc3  1574912 1953525134 1951950223 930,8G Linux LVM

The EFI partition will be formatted with FAT32

mkfs.fat -F32 /dev/sdc1

and mounted at /boot/efi.

The /boot partition is formatted as ext2 or whatever file system you prefer. And the last partition is encrypted with cryptsetup and becomes the base for the main volume group. This is already described in Install Ubuntu with encrypted LVM and multiple logical volumes

The main difference to a legacy BIOS booting system is the package grub-efi instead of grub-pc:

apt-get install grub-efi linux-image-generic

This takes care of all the EFI stuff. Installing Grub is done with

grub-install --target=x86_64-efi /dev/sdc

and creating the initial Grub menu

grub-mkconfig -o /boot/grub/grub.cfg

That’s it for the EFI part. To be of any use, you need to install a Linux system, of course.

Post a comment

All comments are held for moderation; Markdown and basic HTML formatting accepted. If you want to stay anonymous, leave name, e-mail and website empty.