Use Disk Encryption with Pop_OS! and Custom Partitioning
As of Pop!_OS 22.04 LTS, there is no option to set up disk encryption when using custom partitioning during the
installation process. You have to choose between using the entire disk with encryption or using custom partitioning
without encryption. This is unfortunate since disk encryption is important and custom partitioning allows for advanced
setups like dual booting, separate /home
partitions, or installations that span multiple disks. With a few command
line tools, it’s possible to install Pop_OS! with disk encryption and custom partitioning.
The goal of this guide is to set up a LUKS-encrypted partition that contains an LVM volume. You can install Pop_OS! into that existing LVM volume. All of this can be done within Pop_OS! when booted from the installation medium. Check out my post about encrypting a USB drive with LUKS for more details about how to use LUKS encryption. Please make sure you have a backup of your files before doing any of this since there is no recovery of lost data.
First, create an empty partition that you want to use for the Pop_OS! installation. In the following examples,
that will be /dev/sdx
. You can perform the partitioning with GParted and check the partitions with sudo fdisk -l
.
Next, format the partition with LUKS, open it (I use crypt_sdx
as the mapping name), and initialize it for use by
LVM. During these steps, you will be asked to set the disk encryption password – use a strong one and memorize it well!
sudo cryptsetup luksFormat --type luks2 /dev/sdx
sudo cryptsetup luksOpen /dev/sdx crypt_sdx
sudo pvcreate /dev/mapper/crypt_sdx
List all LVM physical volumes with pvs
and check that it got created correctly:
$ sudo pvs
PV VG Fmt Attr PSize PFree
/dev/mapper/crypt_sdx lvm2 --- 240.00g 240.00g
Create a new LVM volume group (which I call vge01
):
sudo vgcreate vge01 /dev/mapper/crypt_sdx
List all LVM volume groups with vgdisplay
(you can also use vgs
for a shorter output) and check that it got
created correctly:
$ sudo vgdisplay
--- Volume group ---
VG Name vge01
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 1
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 0
Open LV 0
Max PV 0
Cur PV 1
Act PV 1
VG Size 240.00 GiB
PE Size 4.00 MiB
Total PE 61488
Alloc PE / Size 0 / 0
Free PE / Size 61488 / 240.00 GiB
VG UUID XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXXXX
Last step is to create the logical volume (which I call lv00
). The size has to be specified with the -L
option
which is 240 GB for this case (see “VG Size” above).
sudo lvcreate -n lv00 -L 240G vge01
List all logical volumes with lvs
and check that it got created correctly:
$ sudo lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
lv00 vge01 -wi-a----- 240.00g
Now you’re ready for the installation of Pop_OS! (see official installation guide).
In the installation wizard, select Custom (Advanced)
for partitioning. Select the /dev/sdx
partition from earlier
and it will ask you for the encryption password. Select the logical volume within the encrypted partition as the
destination for the OS installation. Finish the installation as usual.
You’re done! Pop_OS! will ask you for your disk password on every boot.
Once booted, you can see with mount
that the mapped encrypted volume /dev/mapper/vge01-lv00
is mounted, rather than
the /dev/sdx
partition directly:
/dev/mapper/vge01-lv00 on / type ext4 (rw,noatime,errors=remount-ro)
I hope that Pop!_OS will add the capability to enable disk encryption with custom partioning to their installation wizard in the future.