Ubuntu 24.04 LTS, code name “Noble Numbat”, was released just 3 weeks ago. The new installer doesn’t make it obvious, but you can have an encrypted install without erasing / using the entire disk. Here’s how to do it.

1. Acquire installation media

  • Download the official ISO image;
  • Make sure its sha256sum matches the expected hash (81fae9cc21e2b1e3a9a4526c7dad3131b668e346c580702235ad4d02645d9455 for 24.04);
  • Flash the image on a USB stick;

2. Prepare the target system

  • Back up your data;
  • Boot your computer from the live USB;
  • Close the installer in order to see the system’s desktop;
  • Delete or shrink existing partitions in order to make space for Ubuntu:
  • Consider using a secure erasing process in case your drive wasn’t encrypted before;
  • If there’s any disk space you DON’T WANT Ubuntu to occupy, just make sure the installer doesn’t see it as free space by creating dummy partitions there;

Partition layout

Based on my VM tests, here’s how the automated installer lays out partitions:

  • If an ESP partition already exists, it will be used by Ubuntu as well;
  • Otherwise, a new one is created in the first sector range of the disk with enough free space for it (default size appears to be 1075 MiB);
  • Then, it chooses another disk chunk to set up a boot partition and a root partition:
    • I’m not sure whether it uses the first free range which can fit the OS, or the biggest such range that it can find;
    • Either way, the two partitions are laid out one after the other; where the first 1792 MiB are used by the boot partition and everything else is given to the root partition.

In my case, I’ve carved out the first 4 GiB and the last 10 GiB as free space. The remaining disk space between those was reserved by two partitions which I’ll use to install Arch afterwards.

3. Guided encrypted install

  • Re-open the installer and follow the wizard until you get to the disk setup page:
ubuntu-install-simple
The new installer doesn’t make it obvious, but you can have an encrypted install without erasing the entire disk.
  • Toggle the “Erase disk” option, just for now;
  • Go to the “Advanced features” menu and select “Use LVM and encryption”;
ubuntu-advanced-options
This tells the installer to encrypt the root partition using LVM on top of LUKS.
  • If you don’t want to erase the entire disk, make sure to toggle the “Install Ubuntu alongside other partitions” option before continuing;
ubuntu-install-encrypted
Can you see the difference between this screenshot and the first one?
  • If encryption was indeed enabled, you’ll be prompted for a password in the next page:
ubuntu-passphrase
Password prompt for LUKS encryption.
  • Keep following the install wizard until it asks you to review your choices;
ubuntu-install-summary
Notice that LUKS disk encryption is enabled.
  • After confirming that everything is as expected, let the installer do its thing;
ubuntu-partition-layout
Disk layout after the installer is done. All three ext2 partitions were created to reserve that disk space for another OS.

4. Reboot

  • When rebooting into your fresh Ubuntu installation (and on every boot from now on), you’ll be asked for the encryption password used during installation:
ubuntu-boot-encrypted
Here’s how it looks like when booting in a VirtualBox VM.

Appendix - How to fix installation failure on a VM with low memory

If the installation doesn’t finish successfully (and you’re testing it in a VM):

  1. Take a look at this bug report
  2. Increase the amount of memory assigned to the VM
    • (I got this error when using 4 GiB, but 8 GiB worked fine)

You may also enjoy