Installing Ubuntu 24.04 with LUKS+LVM on a Multiboot system

How I Installed Ubuntu 24.04.2 LTS with Full Disk Encryption (LUKS+LVM) on a Multi-Boot System with rEFInd

Many Linux users want their systems fully encrypted using LUKS and LVM, but as of Ubuntu 24.04.2 LTS, Canonical’s new Flutter-based installer does not support setting up an encrypted LVM system during installation unless you erase the whole disk. This frustrating limitation is documented here on AskUbuntu.

It was somewhat of a bumpy ride to get it to work so I thought I’d share my working solution for getting Ubuntu 24.04 LTS running with LUKS+LVM, alongside Ubuntu 25.04 and Windows 10, managed by rEFInd.

Thanks to GPT-4 for helping me create this write-up based on its initial procedure and my feedback.

---

✅ Why This Approach?

• Full Disk Encryption
  Secure all user data at rest using LUKS.

• LVM Flexibility
  Manage logical volumes for root, swap, and future expansion.

• Clean Multi-Boot
  Avoid GRUB lock-in by managing OS selection with rEFInd.

---

🛠️ What You’ll Need

• Ubuntu 24.04.2 LTS ISO

• Existing rEFInd boot manager (or you can install it during the process, this will also work for a purely GRUB-based setup)

• Free space on SSD (or you can make some with gparted)

• Existing Ubuntu and Windows installations

• Comfortable using the terminal

---

🚧 The Problem With the Official Installer

Since 23.10, the official Flutter-based Ubuntu installer doesn’t support LUKS+LVM setups directly. The installer fails to detect encrypted LVM volumes, leaving users stuck.

The Solution

Perform a temporary install to an unencrypted partition, manually build the encrypted LVM structure, and migrate the system.

---

📝 Step-by-Step Guide

---

1. Create a Bootable Installer (Without USB)

If you lack a USB stick, you can reuse the target drive itself:

1. Shrink an existing partition to create an 8GB "installer" partition.

2. Write the ISO image to it:

sudo dd if=ubuntu-24.04.2-desktop-amd64.iso of=/dev/nvme0n1pX bs=4M

1. Set the boot flag on the partition using GParted.

2. Reboot and select "Fallback bootloader" in rEFInd.

---

2. Do a Temporary Installation

Install Ubuntu 24.04 LTS to a small temporary partition (~16 GB).
This is just to bootstrap the system—no encryption needed yet.

---

3. Prepare Boot and Encrypted LVM Structure

3.1. Create Boot and LUKS Container Partitions

Use GParted, parted, or fdisk to define:

• Boot Partition (~2 GB):

  • Format as ext4.

  • Holds kernel and initramfs, ensuring GRUB/rEFInd can access them without LUKS decryption.

• LUKS Container Partition (remaining space):

  • Set the partition type to e6d6d379-f507-44c2-a23c-238f2a3df928 (Linux LVM).

  • This is normal, even though you’ll encrypt it with LUKS.

3.2. Set Up LUKS and LVM

sudo apt update && sudo apt install lvm2 cryptsetup

sudo cryptsetup luksFormat /dev/nvme0n1pY
sudo cryptsetup open /dev/nvme0n1pY luks_ubuntu24

sudo pvcreate /dev/mapper/luks_ubuntu24
sudo vgcreate ubuntu24-vg /dev/mapper/luks_ubuntu24
sudo lvcreate -L 8G -n swap ubuntu24-vg
sudo lvcreate -l 100%FREE -n root ubuntu24-vg

3.3. Format the Volumes

sudo mkfs.ext4 /dev/ubuntu24-vg/root
sudo mkswap /dev/ubuntu24-vg/swap

---

4. Boot Into Recovery Mode With Filesystem Read-Only

When booting the temporary installation, add this to the kernel command line:

systemd.mask=systemd-remount-fs.service

This prevents it from remounting / read-write, allowing you to safely migrate the system.

---

5. Migrate the Installation to Encrypted LVM

1. Open the encrypted volume:

sudo cryptsetup open /dev/nvme0n1pY luks_ubuntu24

1. Mount the target root volume:

sudo mount /dev/ubuntu24-vg/root /mnt

1. Migrate the system using rsync:

sudo rsync -avugx / /mnt/

---

6. Update fstab and crypttab

/mnt/etc/fstab

Replace with:

/dev/mapper/ubuntu24--vg-root / ext4 defaults 0 1
/dev/disk/by-uuid/<boot-uuid> /boot ext4 defaults 1 1
/dev/disk/by-uuid/<efi-uuid> /boot/efi vfat defaults 0 1
/dev/mapper/ubuntu24--vg-swap none swap sw 0 0

/mnt/etc/crypttab

Add:

luks_ubuntu24 /dev/disk/by-uuid/<luks-uuid> none luks

You can get UUIDs with:

sudo blkid

/mnt/etc/default/grub

Near the top, add:

GRUB_ENABLE_CRYPTODISK=y

---

7. Rebuild Initramfs and GRUB

for a in sys proc dev dev/pts; do sudo mount --bind /$a /mnt/$a; done
sudo chroot /mnt
mount /boot
mount /boot/efi
update-initramfs -u -k all
update-grub
grub-install --no-nvram
exit
sudo reboot

---

🚀 Booting With rEFInd

• rEFInd should now show a GRUB entry for Ubuntu 24.04 LTS.

• Select it, and you’ll be prompted for your LUKS passphrase.

If the GRUB entry doesn’t appear, boot into the temporary installation you created, and run:

sudo refind-install
sudo refind-mkconfig

---

📝 Final Thoughts

• Why a separate /boot? GRUB and rEFInd need to load the kernel/initramfs without decrypting LUKS.

• Why --no-nvram? Prevents GRUB from overriding rEFInd as the default bootloader.

• Why rsync? Guarantees the new system is fully migrated without reinstalling packages.

---

🧭 References

• Ubuntu Installer Limitation on AskUbuntu

• rEFInd Boot Manager

• Full Disk Encryption How-To (Ubuntu Community)

• Disk Setup / Manual installation missing LVM LV as target (LaunchPad)