Ubuntu 24.04 installer not showing encrypted lvm partitions (luks)

Question

I want to replace my ubuntu 22.04 install which is in an encrypted lvm with new Ubuntu 24.04.

I unlocked to crypted partition :

1. sudo cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3_crypt
2. password: ok
3. installer start, next, next, and after choosing the option "Something else", the installer should give a list of available partitions and the lvm partitions to choose from.

Reality: there is only the "crypt partition is shown without the underlying volumes.

Why and how to solve it?

Answer 1

If the reason you want to create a LUKS partition is to DualBoot with Windows, see this --> https://techtalkblog.ch/ubuntu-24-04-lts-fde-alongside-windows-installation

TLDR:

1. Select ‘Erase disk and install Ubuntu‘ and click Next
2. Select ‘Use LVM and encryption‘ and click OK
3. Now select ‘Install Ubuntu alongside Windows Boot Manager‘ and click Next
4. Voila!

Answer 2

(My first post on programistic forum ever. I have goosebump and so one so please be kind to me)

My fix/workaround that worked.

Backgound:

• Windows 10/11 masked by grub (Ubuntu 20.04)
• 1GB partition for /boot formated to ext2 (lets call it /dev/sda2)
• / on LUKS partition (/dev/sda4)
• SWAP on LUKS partition (/dev/sda3)

After some fighting with Flutter-based installer and network searching I realise that there is major problem with LUKS based partitions in 24.04 installer.

What I do.

1. Install fresh Ubuntu 24.04 on /dev/sda4 using normal ext4 disk with no cryptography and /boot on /dev/sda2. Use option with manual partitioning in installation program.

2. Reboot and using LiveCD to copy whole new system to another place (ex. use rsync -axHAWXS --numeric-ids --info=progress2). Of course mount /dev/sda4 to some place (ex. /mnt).

3. After successful copying unmount /dev/sda4 partition from place where was mounted and then format this partition with cryptsetup luksFormat /dev/sda4

4. Open LUKS partition /dev/sda4 cryptsetup luksOpen /dev/sda4 sda4_crypt

5. Format /dev/mapper/sda4_crypt (opened LUKS partition is stored here) to ext4 (or other file system you needed). I use gparted launched via terminal.

6. Copy whole files copied in point 2. to mounted /dev/mapper/sda4_crypt.

7. After successful copying add file /mounted_sda4_crypt/etc/crypttab. Edit this file and fill with sda4_crypt UUID=(uuid of /dev/sda4) none luks,discard. Need to be UUID of /dev/sda4 not /dev/mapper/sda4_crypt. Can be found by using blkid.

8. Edit file /mounted_sda4_crypt/etc/fstab and exchange line where is stored information of clean Ubuntu 24.04 from point 1. (Ex. /dev/disk/by-uuid/XXXX / ext4 defaults 0 1) to /dev/mapper/sda4_crypt / ext4 errors=remount-ro 0 1

9. Add and edit file /mounted_sda4_crypt/etc/default/cryptdisks. Paste in it three lines:

   CRYPTDISKS_ENABLE=Yes

   CRYPTDISKS_MOUNT=""

   CRYPTDISKS_CHECK=blkid

TIP: In LiveCD this file is stored in /etc/default/. You can simply copy it to /mounted_sda4_crypt/etc/default/.

10. Mount /dev/sda2 to /mounted_sda4_crypt/boot/ and then use chroot to /mounted_sda4_crypt/. Of course do it after mount of some extra catalogues.

mount -t proc none /mounted_sda4_crypt/proc
mount -t sysfs none /mounted_sda4_crypt/sys
mount --bind /dev /mounted_sda4_crypt/dev
mount --bind /dev/pts /mounted_sda4_crypt/dev/pts
mount --bind /run /mounted_sda4_crypt/run
chroot /mounted_sda4_crypt/

11. After successful chroot instal cryptsetup. apt install cryptsetup
12. After successful installation of cryptsetup type update-initramfs -u -k all. This will generate (update) new startup file. If there are some errors then check UUID in edited files.
13. If initramfs generates successfully then type update-grub.
14. Exit chroot by typing exit in teminal, and reboot computer.

Now computer should start and after some second there should be prompt to type the password of root partition.

If you want to open SWAP partition encrypted by LUKS during startup use these steps to add this partition. In /etc/fstab add line /dev/mapper/sda3_crypt none swap sw 0 0. Of coure delete or comment previous line about SWAP.

Answer 3

Run into similar issue. After lots of research, it seems that it is a limitation of new Flutter-based installers (introduced since 23.10).

The only solution I found so far is:

1. Download 23.10 Legacy Installer, you can get it here, filename ubuntu-23.10-desktop-legacy-amd64.iso.
2. Legacy installer "sees" LUKS2 partitions, and is able to create them
3. (not recommended) Install to existing LUKS2 partition - I tried it and a lot of things were left unconfigured, as if ubuntu was not aware its installed to encrypted volume. System wouldn't boot until manual changes to grub, crypttab etc.
4. (recommended) Install to physical partition and instead of 'Use as EXT4' select 'Physical volume for encryption' - the very missing option from the new installers. This will let you choose MVK for new LUKS2 partition and installer will automatically configure everything encryption related.
5. Boot from 23.10
6. Upgrade to 24.04 via sudo do-release-upgrade. As of now it is still not available as upgrade for stable, and I had to add -d flag. Worked just fine, no issues, system is bootable and still on encrypted drive.

This is of course far from ideal solution, and comes with a number of limitations:

1. You need to do an extra upgrade, which partially defeats purpose of 'new clean install'.
2. This method assumes to have an un-encrypted /boot partition, hence you do not have a full disk encryption - when used with TPM2 you are potentially open to Evil Maid attacks. Partial solution is to lock your UEFI to disable boot from external devices without password, and enable chassis intrusion detection to prevent any further booting of the machine without admin password - not all vendors support these options.
3. This method will expect you to type LUKS2 password on every boot. Enrolling to TPM2 is a separate hassle.

There is another option, which is extreme side and will not be applicable for a lot of people including myself - new Flutter installers (23.10, 24.04) have a new option when selecting 'erase all' - "Hardware backed Full Disk Encryption":

• It will create /boot and / partitions for you, both being encrypted
• It will automatically seal both partitions keys with TPM2, hence you do not need to hassle with it manually, and do not have to type passwords on every boot.

On the downsides:

• It will format your disk. Sadly, this is the only way to get FDE setup done automatically by the installer.
• It requires TPM2 to be erased. I am now trying to get this working with TPM2 already pre-owned by Windows Bitlocker, but it doesn't seem to be possible - option is simply grayed out.
• It requires to not use any 3rd party DKMS drivers, eg. Nvidia. You have to untick those in the installer, otherwise FDE option will be grayed out. I am not sure whether Nvidia drivers can be then installed post boot or not.

Despite the downsides, I tried this on my backup machine and experience was extremely pleasant - installation was easy and as smooth as always. Since LUKS2 unlocking happens automatically, you wouldn't even be able to tell that your device is now fully encrypted. If you go with this solution, do not forget to get recovery keys when booted, otherwise you are risking to get locked out!

P.S. I did try @zetheroo's trick but with manual partitioning - select LVM & LUKS, go back, select manual and then manually select partition to install. Installation did go through but it simply erased encrypted volume and installed OS as physical unecrypted EXT4 volume.