Run into similar issue. After lots of research, it seems that it is a limitation of new Flutter-based installers (introduced since 23.10).
The only solution I found so far is:
- Download 23.10 Legacy Installer, you can get it here, filename
ubuntu-23.10-desktop-legacy-amd64.iso
.
- Legacy installer "sees" LUKS2 partitions, and is able to create them
- (not recommended) Install to existing LUKS2 partition - I tried it and a lot of things were left unconfigured, as if ubuntu was not aware its installed to encrypted volume. System wouldn't boot until manual changes to grub, crypttab etc.
- (recommended) Install to physical partition and instead of 'Use as EXT4' select 'Physical volume for encryption' - the very missing option from the new installers. This will let you choose MVK for new LUKS2 partition and installer will automatically configure everything encryption related.
- Boot from 23.10
- Upgrade to 24.04 via
sudo do-release-upgrade
. As of now it is still not available as upgrade for stable, and I had to add -d
flag. Worked just fine, no issues, system is bootable and still on encrypted drive.
This is of course far from ideal solution, and comes with a number of limitations:
- You need to do an extra upgrade, which partially defeats purpose of 'new clean install'.
- This method assumes to have an un-encrypted
/boot
partition, hence you do not have a full disk encryption - when used with TPM2 you are potentially open to Evil Maid attacks. Partial solution is to lock your UEFI to disable boot from external devices without password, and enable chassis intrusion detection to prevent any further booting of the machine without admin password - not all vendors support these options.
- This method will expect you to type LUKS2 password on every boot. Enrolling to TPM2 is a separate hassle.
There is another option, which is extreme side and will not be applicable for a lot of people including myself - new Flutter installers (23.10, 24.04) have a new option when selecting 'erase all' - "Hardware backed Full Disk Encryption":
- It will create
/boot
and /
partitions for you, both being encrypted
- It will automatically seal both partitions keys with TPM2, hence you do not need to hassle with it manually, and do not have to type passwords on every boot.
On the downsides:
- It will format your disk. Sadly, this is the only way to get FDE setup done automatically by the installer.
- It requires TPM2 to be erased. I am now trying to get this working with TPM2 already pre-owned by Windows Bitlocker, but it doesn't seem to be possible - option is simply grayed out.
- It requires to not use any 3rd party DKMS drivers, eg. Nvidia. You have to untick those in the installer, otherwise FDE option will be grayed out. I am not sure whether Nvidia drivers can be then installed post boot or not.
Despite the downsides, I tried this on my backup machine and experience was extremely pleasant - installation was easy and as smooth as always. Since LUKS2 unlocking happens automatically, you wouldn't even be able to tell that your device is now fully encrypted. If you go with this solution, do not forget to get recovery keys when booted, otherwise you are risking to get locked out!
P.S. I did try @zetheroo's trick but with manual partitioning - select LVM & LUKS, go back, select manual and then manually select partition to install. Installation did go through but it simply erased encrypted volume and installed OS as physical unecrypted EXT4 volume.