Installing Ubuntu Server With Disk Encryption Support
To ensure a maximum degree of data protection and privacy, it is recommended to install Ubuntu Server with disk encryption support provided by LVM/LUKS.
- LVM = Logical Volume Manager - a device mapper framework that provides logical volume management for the Linux kernel.
- LUKS = Linux Unified Key Setup - a disk encryption specification used for Linux.
To achieve this, please initiate the Ubuntu Server installation in its normal way, then follow the instructions below.
Guided Storage Configuration step
- In the Guided Storage Configuration step, check Set up this disk as an LVM group and Encrypt the LVM group with LUKS boxes
- Input twice the desired passphrase necessary for encryption
- You will need to enter this passphrase after each reboot of the Ubuntu Server, so be sure to either remember it, or to have it written in a non-public secure place.
- Press Continue when ready to move on
Storage Configuration step
- In the Storage Configuration step, use the up/down arrow keys on your keyboard to select the Logical Volume under the USED DEVICES section.
- Hint: this is usually labeled as ubuntu-lv and has a default size of 4GB
- Press Enter to edit the selection.
- In the Edit Logical Volume dialog, under the Size field, enter the desired value (it is recommended to use the maximum size available)
- Press Save when done to return to the Storage Configuration step
- In the Storage Configuration step, confirm that the size of the Logical Volume has the desired capacity, which should be at least 30GB
Installation completion and updates
- Proceed with the rest of the Ubuntu installation
- If the installation mentions downloading security updates, DO NOT CANCEL THE UPDATES. Wait until thew installer finishes with updates too.
- Eventually it will finish and it will prompt you to reboot the server.
Rebooting the server after installation
- After restarting, you will be prompted to unlock the volume group. Enter the passphrase that you have defined earlier in the process.
- After the server finished booting up, check that the disk is encrypted via the lsblk command. If the output looks like below, your disk is encrypted, the encrypted partition has a size of 126GB, and it is mounted under the / mountpoint.
user@server:~$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT ..... sda 8:0 0 127G 0 disk ├─sda1 8:1 0 1M 0 part ├─sda2 8:2 0 1G 0 part /boot └─sda3 8:3 0 126G 0 part └─dm_crypt-0 253:0 0 126G 0 crypt └─ubuntu--vg-ubuntu--lv 253:1 0 126G 0 lvm /
Your Ubuntu Server is now ready.