Friday July 2 2021

How to multi boot encrypted Windows and Ubuntu

Install windows to the drive first with nothing else on it, feel free to allow it to take up all the space and create partitions as needed.

Once this is done, don’t bother turning on bitlocker just yet, we’re going to install Ubuntu first. If you previously turned on bitlocker, you can turn it off and wait for decryption to complete, then follow along with this guide.

In the Ubuntu installer

Boot into the installer, I’m using Ubuntu 20.04 LTS at the moment, click to try Ubuntu instead of installing it directly, we’re going to drop into the command line for a little bit.

root@ubuntu:~# lsblk /dev/sda
sda      8:0    0 465.8G  0 disk 
├─sda1   8:1    0   100M  0 part 
├─sda2   8:2    0    16M  0 part 
├─sda3   8:3    0 465.2G  0 part 
└─sda4   8:4    0   505M  0 part 

Your drive layout will be similar to what is above assuming you have a somewhat modern system configured to use EFI boot. I’m not covering BIOS boot here, as even my nearly eight year old ThinkPad X230 has UEFI capabilities.

We’re going to first resize sda3, where windows is actually installed. In my case, I’m going to set it to be a little bit smaller than the final partition size, and let ntfsresize take care of expanding it in a minute ( 245G )

root@ubuntu:~# ntfsresize -s 245G /dev/sda3
ntfsresize v2017.3.23AR.3 (libntfs-3g)
Device name        : /dev/sda3
NTFS volume version: 3.1
Cluster size       : 4096 bytes
Current volume size: 499453583872 bytes (499454 MB)
Current device size: 499453585920 bytes (499454 MB)
New volume size    : 245000000000 bytes (245000 MB)
Checking filesystem consistency ...
100.00 percent completed
Accounting clusters ...
Space in use       : 56834 MB (11.4%)
Collecting resizing constraints ...
Needed relocations : 0 (0 MB)
WARNING: Every sanity check passed and only the dangerous operations left.
Make sure that important data has been backed up! Power outage or computer
crash may result major data loss!
Are you sure you want to proceed (y/[n])? y
Schedule chkdsk for NTFS consistency check at Windows boot time ...
Resetting $LogFile ... (this might take a while)
Updating $BadClust file ...
Updating $Bitmap file ...
Updating Boot record ...
Syncing device ...
Successfully resized NTFS on device '/dev/sda3'.
You can go on to shrink the device for example with Linux fdisk.
IMPORTANT: When recreating the partition, make sure that you
  1)  create it at the same disk sector (use sector as the unit!)
  2)  create it with the same partition type (usually 7, HPFS/NTFS)
  3)  do not make it smaller than the new NTFS filesystem size
  4)  set the bootable flag for the partition if it existed before
Otherwise you won't be able to access NTFS or can't boot from the disk!
If you make a mistake and don't have a partition table backup then you
can recover the partition table by TestDisk or Parted's rescue mode.

Now to use fdisk to alter the partition table from something like:

Device         Start       End   Sectors   Size Type
/dev/sda1       2048    206847    204800   100M EFI System
/dev/sda2     206848    239615     32768    16M Microsoft reserved
/dev/sda3     239616 975734900 975495285 465.2G Microsoft basic data
/dev/sda4  975736832 976771071   1034240   505M Windows recovery environment

To to something along the lines of

Device         Start       End   Sectors  Size Type
/dev/sda1       2048    206847    204800  100M EFI System
/dev/sda2     206848    239615     32768   16M Microsoft reserved
/dev/sda3     239616 524527615 524288000  250G Microsoft basic data
/dev/sda4  524527616 528721919   4194304    2G Linux filesystem
/dev/sda5  528721920 843294719 314572800  150G Linux LVM

Pay careful attention to the partition type for sda3 being “Microsoft basic data”, fdisk will usually default to a “Linux” filesystem type.

I haven’t filled the rest of the disk here with the Linux LVM partition, you are welcome to, I’m leaving some room for OpenBSD, which is optional.

Now lets go ahead and expand windows to fill that partition and clear the dirty flag that will otherwise have windows nagging us for a disk check:

root@ubuntu:~# ntfsfix -d /dev/sda3 && ntfsresize /dev/sda3 && ntfsfix -d /dev/sda3

Now lets setup Linux filesystems

Create the LUKS container:

root@ubuntu:~# cryptsetup luksFormat /dev/sda5

This will overwrite data on /dev/sda5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda5: 
Verify passphrase: 
root@ubuntu:~# cryptsetup luksOpen /dev/sda5 crypt
Enter passphrase for /dev/sda5: 

Now we’re going to create the physical volume, volume group, and logical volumes underneath of it:

root@ubuntu:~# lvm pvcreate /dev/mapper/crypt
  Physical volume "/dev/mapper/crypt" successfully created.
root@ubuntu:~# lvm vgcreate vg /dev/mapper/crypt
  Volume group "vg" successfully created
root@ubuntu:~# lvm lvcreate vg --name root --size 25G
  Logical volume "root" created.
root@ubuntu:~# lvm lvcreate vg --name home --size 100G
  Logical volume "home" created.
root@ubuntu:~# mkfs.xfs /dev/vg/root 
root@ubuntu:~# mkfs.xfs /dev/vg/home 

Note that you can skip the home steps above if you don’t want them to be separate filesystems. The volume group is also not full with this configuration. You are welcome to fill it if you’d like, but if it’s full you will not be able to snapshot the filesystems. ( An example script )

Start the Ubuntu install

The install process isn’t too different from the normal Ubuntu install, but we’re going to be selecting the “Something else” option:

Ubuntu installer

We’re going to select the XFS filesystem we just created to be mounted on /:

Selecting the root filesystem

Do the same thing for /home if you’ve created a home file system in the volume group.

Now we’re going to select the partition for /boot

Selecting the boot filesystem

Since we’ve not formatted the LVM filesystem, you may get a warning about it:

filesystem format warning

This you can safely ignore.

After the install

Take note of what device the encryption volume is on, in my case /dev/sda5

When Ubuntu starts for the first time it’s going to drop you to an emergency shell where you’ll have to unlock the disk and enable the volume group by hand until we fix it:

(initramfs) # cryptsetup luksOpen /dev/sda5 crypt
(initramfs) # lvm vgchange -ay
(initramfs) # exit

Now Ubuntu should continue to boot like normal. Once you’re at the desktop, pop open a terminal and edit /etc/crypttab:

crypt UUID=<UUID> none luks

Be sure to replace <UUID> with your UUID from ls -l /dev/disk/by-id | grep sda5. ( Or similar if your encryption volume is say /dev/nvme0n1p5 or so )

Now rebuild the initramfs and update grub:

root@x230:~# update-initramfs -ck all && update-grub

You should now be able to reboot like normal and get prompted for your disk password.

Turn on Bitlocker

From Windows. Once that’s done everything should work as expected. You have both an encrypted Windows and Linux install.


If you end up with windows failing to boot

Go back to your Windows installation medium, click troubleshoot, and then go to a command prompt.

From the command prompt we’re going to “mount” the EFI partition by assigning a drive letter to it, remove the old BCD file, and create a new one with the following commands:

( Everything in <> is something you’ll replace, anything after # are comments )

# This will drop us in the diskpart CLI
> diskpart
> list disk
> select disk <number>
> list part
> select part <number> # This will be the EFI partition, usually 100mb
> assign LETTER=Z
> exit
> cd /d Z:\EFI\Microsoft\Boot
> del BCD
> bcdboot C:\Windows /l en-us /s Z: /f ALL