Installing Ubuntu Server With Disk Encryption Support

To ensure a maximum degree of data protection and privacy, it is recommended to install Ubuntu Server with disk encryption support provided by LVM/LUKS.

• LVM = Logical Volume Manager - a device mapper framework that provides logical volume management for the Linux kernel.
• LUKS = Linux Unified Key Setup - a disk encryption specification used for Linux.

To achieve this, please initiate the Ubuntu Server installation in its normal way, then follow the instructions below.

Guided Storage Configuration step

• In the Guided Storage Configuration step, check Set up this disk as an LVM group and Encrypt the LVM group with LUKS boxes
• Input twice the desired passphrase necessary for encryption
  • You will need to enter this passphrase after each reboot of the Ubuntu Server, so be sure to either remember it, or to have it written in a non-public secure place.
• Press Continue when ready to move on

Storage Configuration step

• In the Storage Configuration step, use the up/down arrow keys on your keyboard to select the Logical Volume under the USED DEVICES section.
  • Hint: this is usually labeled as ubuntu-lv and has a default size of 4GB
• Press Enter to edit the selection.
  • In the Edit Logical Volume dialog, under the Size field, enter the desired value (it is recommended to use the maximum size available)
  • Press Save when done to return to the Storage Configuration step
• In the Storage Configuration step, confirm that the size of the Logical Volume has the desired capacity, which should be at least 30GB

Installation completion and updates

• Proceed with the rest of the Ubuntu installation
• If the installation mentions downloading security updates, DO NOT CANCEL THE UPDATES. Wait until thew installer finishes with updates too.
• Eventually it will finish and it will prompt you to reboot the server.

Rebooting the server after installation

• After restarting, you will be prompted to unlock the volume group. Enter the passphrase that you have defined earlier in the process.
• After the server finished booting up, check that the disk is encrypted via the lsblk command. If the output looks like below, your disk is encrypted, the encrypted partition has a size of 126GB, and it is mounted under the / mountpoint.

user@server:~$ lsblk
NAME                        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
.....
sda                           8:0    0  127G  0 disk
├─sda1                        8:1    0    1M  0 part
├─sda2                        8:2    0    1G  0 part  /boot
└─sda3                        8:3    0  126G  0 part
  └─dm_crypt-0              253:0    0  126G  0 crypt
    └─ubuntu--vg-ubuntu--lv 253:1    0  126G  0 lvm   /

Your Ubuntu Server is now ready.