Root partition encryption documentation

I have documented the steps I have recently taken to encrypt the existing root EXT4 partition of my Ubuntu 19.10. I hope it can be helpful to other newcomers. Improvements suggestions are welcome. Should I add it to some wiki/git repository?


  • You have a EFI system partition mounted at /boot/efi and a partition mounted at / (root partition) and want to encrypt the latter preserving the existing data.
  • The root filesystem type is EXT3/EXT4.

I used Ubuntu 19.10 and therefore the instructions are focused on it. If you are using a different distribution, maybe you’ll have to tweak some commands.

First, Linux has multiple disk encryption solutions. Two of the most popular ones nowadays are dm-crypt with LUKS and ecryptfs. dm-crypt provides “block” level encryption. With it, the Linux kernel creates an entire encrypted block device, which can then be used like any other block device in the system. LUKS is a disk encryption specification which is widely used in Linux together with dm-crypt. On the other hand, eCryptfs provides “per-file” encryption. It stores encryption metadata in the header of each file and there is no need to keep track of any additional information aside from that. Since eCryptfs has to process keys and metadata on a per-file basis, usually dm-crypt is faster than ecryptfs and that’s why I have chosen to use it.

Second, there is no way to encrypt a mounted partition in Linux and you cannot unmount the root partition from which you booted, so you’ll have to boot from a live USB. Steps:

  • Download the ISO of the latest version of your favorite Linux distribution (I chose Ubuntu 19.10).
  • Build a live USB with the ISO (in Ubuntu 19.10, you can install usb-creator-gtk and use the Startup Disk Creator graphic application).
  • Reboot your workstation, set the USB device to boot before the hard disk in your BIOS and boot in the live USB.

Write down the number of the EFI system partition. If you don’t know the partition number, check it with the “fdisk -l” command and look for the partition with type “EFI system” and approximately 260 MB.

Write down the number and the UUID of the root partition. If you don’t know the partition number, check it with the “fdisk -l” command. If you don’t know the partition UUID, check it with the “blkid” command.

During encryption, a LUKS encryption header is added at the beginning of the device. Since an existing filesystem will usually use the entire partition, you must shrink it to make space for the LUKS header. Furthermore, resize2fs, the tool used to resize EXT2/EXT3/EXT4 filesystems, requires the filesystem to be checked before resized. Execute the following commands, replacing X with the root partition number:

$ e2fsck -f /dev/sdaX
$ resize2fs -M /dev/sdaX

Encrypt your unencrypted root partition using LUKS1. You can use luksipc ( or setupcrypt-reencrypt (available in Ubuntu 19+) to achieve that. I recommend the latter because it is more actively supported. You will be asked to enter a passphrase, which you will have to provide on every system boot. Remember to replace X with the root partition number. Make sure you have shrunk the filesystem as explained above before running this or you will will lose all the existing data in the root partition.

$ cryptsetup-reencrypt /dev/sdaX --new --reduce-device-size 16M --type=luks1

Enter new passphrase:
Verify passphrase:
Finished, time (…)

Open the encrypted root partition using cryptsetup (available in Ubuntu 19+). Replace X with the root partition number.

$ cryptsetup open /dev/sdaX rootfs

Extend the filesystem of the now encrypted partition to occupy all available space in the partition.

$ resize2fs /dev/mapper/rootfs

Fix the system boot:

  • create a chroot in the root partition. Replace Y with the number of the boot partition.

    $ mount /dev/mapper/rootfs /mnt
    $ mount /dev/sdaY /mnt/boot/efi
    $ mount --bind /dev /mnt/dev
    $ mount --bind /dev/pts /mnt/dev/pts
    $ mount --bind /sys /mnt/sys
    $ mount --bind /proc /mnt/proc
    $ chroot /mnt

  • add the following line to /etc/crypttab (replace <encrypted_rootfs_uuid> with the root partition UUID):

    rootfs UUID=<encrypted_rootfs_uuid> none luks

  • comment/remove the existing root partition line from /etc/fstab and add the following line:

    /dev/mapper/rootfs / ext4 errors=remount-ro 0 1

  • comment/remove the existing GRUB_CMDLINE_LINUX from /etc/fstab and add the following lines to it (replace <encrypted_rootfs_uuid> with the root partition UUID) :


  • update GRUB configuration files/binary:

$ grub-install
$ update-grub

  • Make sure that the GRUB configuration file at /boot/grub/grub.cfg was updated correctly by update-grub. There must be at least a menu entry which loads the kernel modules luks and cryptodisk, mounts the encrypted partition using cryptomount and sets the kernel option “cryptdevice=UUID=<encrypted_rootfs_uuid>:rootfs” . Example:

    menuentry ‘Ubuntu’ (…) {
    insmod cryptodisk
    insmod luks
    cryptomount -u <encrypted_rootfs_uuid>
    set root=‘cryptouuid/<encrypted_rootfs_uuid>’
    linux /boot/vmlinuz-5.3.0-29-generic root=UUID=<unencrypted_rootfs_uuid> ro cryptdevice=UUID=<encrypted_rootfs_uuid>:rootfs quiet splash $vt_handoff
    initrd /boot/initrd.img-5.3.0-29-generic

  • update the initial RAM disk:

    $ update-initramfs -k all -c

  • leave the chroot

    $ exit

  • unmount all mounted filesystems

    $ umount -a

Reboot from the hard disk. You will be prompted to type the passphrase and then Linux will boot. An undesired result of this setup is that the encryption passphrase is requested twice during boot.


Congrats on the successful conversion, and thanks for documenting it!

@alanoe, that sounds like a great thread for Tips & Tricks category :slight_smile:

@alanoe Thanks for the write-up! If there is no existing article or howto online about this, maybe we could post yours publicly for everyone to benefit?

Maybe on the OpenCraft blog, explaining that this is a requirement we have of all team members, ie showing and contributing one of our security measures? @gabriel What do you think? We should probably find a way to separate the very technical articles like this one, from the ones that are more educator or client oriented?

@antoviaque sure, good idea. We currently have no easy way of separating the posts into visible categories (posts do belong to categories but there’s no easy way to display them on the menu or in a page - I checked a few tutorials and tried doing it but to no avail). We can either find a way to do this properly (adding post categories as sub-options in the main menu) or just give the post a title like “Tech post: how we encrypt the root partition of our computers”. If we want to display categories in the menu, I’ll need technical help.

@antoviaque You’re welcome! I found no single online article which covered all these details, so I agree it would be nice to make this documentation public and the Opencraft blog would be a nice place for it.

@Agrendalath I agree. I’ll post it there soon. Thanks for the suggestion!

1 Like

We can just start with the title for now - and maybe include this change in the requirements for the v2.5 update suggested by Metis?

Yep, that works.

@alanoe I’ll schedule a task for you to write the blog post (well, it’s already 90% written, it just needs a bit more context). Would next sprint work for you to do this? I’ll handle posting it online.

@gabriel That works fine, go ahead.

@alanoe done : ) BB-2169

Wow! Looks like the Year of the Linux Desktop is arriving fast. :stuck_out_tongue_winking_eye:

(Sorry but in 2020 this is hilarious :grin:)

Btw @alanoe, welcome to OpenCraft and thanks for taking the time to document stuff! I hope you will not my teasing seriously; its actually intended for @guruprasad. :wink:

1 Like

Haha maybe in 2021? :joy:

To be fair though, this is encrypting an entire system in-place, which isn’t usually recommended. The process for setting up a new system with full disk enc is pretty straight forward these days.

@usman, :stuck_out_tongue: that’s the cost of not having to pay :moneybag: for your computer and wanting flexibility and choice of what and how you want to run stuff on your computer.

Imho, it (the Apple ecosystem) is a stunningly beautiful, high-performance (:troll:) golden cage. I value my freedom more than beauty and performance, but ymmv. :stuck_out_tongue:

Manjaro, which I use on my laptop, was able to do all this automatically for me based on the choice I made in its installer to do FDE. Of course, running a single OS on that computer might have made it so easy. So it could just be that some work needs to be done in Ubuntu or <everyone's favorite distro> to get it working out of the box. Doing things like dual booting will always end requiring a lot of manual work. Hey, at least it’s not as impossible as trying to install Linux on recent Macbook laptops :smile: :grin:


Hey team,

We’ve received a few comments on this blog post, from people using more recent versions of Ubuntu. As a result, we’ve updated the post to warn people that the tutorial specifically targets Ubuntu 19.10 and supports older versions down to Ubuntu 16.

…but it would be awesome if instead we could update or rewrite the post for more recent versions of Ubuntu :slight_smile:

Is anyone up for it?

1 Like