This procedure is here to set up Full disk encryption on a Linux distribution (here we will show a procedure tested on Linux Mint that should work with other Debian based distributions such as Debian and Ubuntu) when this feature has not been set up during the installation.

Indeed, contrary to Windows and MacOS which offer the possibility to turn this feature “ON” in a couple clicks even years after installing the OS, the standard way of setting up full disk encryption on a Linux distribution is during installation. Whether you are on Windows or MacOS or about to install Linux from scratch, you can follow this very good guide from the Electronic Frontier Foundation. In this guide they mention how careful we should be with recovery keys, not to send them to an institution like Apple or Microsoft for example. I would recommend to not have recovery keys at all, but having instead encrypted backups of your system (and to remember your strong passphrases !)

If you did not think of setting up full disk encryption, it is usually recommended to backup your important files, reinstall Linux and restore the backup. This is annoying because the only files you can backup are like photos, videos, etc., not your programs, many parts of your configuration, etc. This means loosing a lot of time reconfiguring everything.

The procedure shown here is an alternative to this.

You should make (encrypted !) backups of your system all the time. However, you should ABSOLUTELY do it before any operation on your disks or partitions such as the one presented here: there is a significant risk to destroy ALL your data.

I suggest a backup using two different open source softwares. The first one is Clonezilla, it is free, open source and allows to make a disk image and save it in a compressed encrypted file to be stored on an external drive. With this, you will be able to restore your whole disk in its current state where it works fine.

For this, you will need:

1. An external hard drive to store the backup. I suggest using an external SSD with a capacity of roughly 3 times your whole drive capacity. For example, if you have a 500GB drive, you will probably be fine with a 2TB drive, but it should be used only for this purpose.
2. An external USB stick to install CloneZilla. It should be at least 1GB and be used only for CloneZilla

First, download the file as an iso.

Then, verify the download, using the following commands:

wget https://clonezilla.org//downloads/stable/data/CHECKSUMS.TXT
wget https://clonezilla.org//downloads/stable/data/CHECKSUMS.TXT.gpg
gpg --keyserver hkp://keys.openpgp.org --recv-key 667857D045599AFD
gpg --verify CHECKSUMS.TXT.gpg CHECKSUMS.TXT

The output should show the line:

gpg: Good signature from "DRBL Project (Diskless Remote Boot in Linux) <drbl@clonezilla.org>" [unknown]

You then have verified that the file CHECKSUM.TXT has been encrypted by the owner of the private key of the clonezilla project. You can then compare the checksum of your file with the content of CHECKSUMS.TXT:

sha256sum clonezilla-live-3.2.1-9-amd64.iso

Replace the filename with the actual file you downloaded if it is another version. Check that the output of this command is part of the output of:

cat CHECKSUMS.TXT

If so, you are sure to have the right file. You can then proceed to flash you USB key. I recommend using Balena Etcher, which is Open Source, user friendly and cross platform.

You are going to make two partitions on your external SSD:

1. One unencrypted partition, to store the encrypted compressed image that CloneZilla will output,
2. One encrypted partition, that will contain two virtual sub partitions:

1. One for the backups of your /home directory (meaning Videos, Photos, Documents, …) This will be done later with a software called BackinTime
2. One for snapshots of your root filesystem (so your programs). This should be done later (but it will not be covered in this tutorial), once you have a stable encrypted system, with a program called Timeshift.

For this you should use the gparted tool, that you can install with:

sudo apt install gparted

Launch it:

sudo gparted

This will prompt the following screen, where I will take the example of a small 1GB USB key formatting (a USB key behaves the same way as any storage device from a software perspective), but in your case you will have much more storage size. I recommend the first unencrypted partition to be roughly 1.5 the size of your disk, so maybe around 700GB for a 500GB disk.

First it will prompt you to the partitioning of your current disk most likely. This is my case, where I have a standard partitioning for full disk encryption:

1. One small (500MB for example) unencrypted partition in fat32 for the EFI boot system (/boot/efi)
2. One small (500MB for example) unencrypted partition in ext4 for the boot partition (/boot)
3. One large (in my case almost 500GB) encrypted partition in etx4 for my whole filesystem

Select the disk you want to partition (beware that the coming operations will delete all data that you have on this disk).

To modify the partitions you first need to unmount them

Then you can create a new partition table. There are several type of such partition table, we will choose gpt, which is the most commonly used one.

You can make a new partition now by right clicking on the empty space

Choose the size you want (in this example I take 500MB for each partitions, in your case it could be 700GB and 1300GB)

Repeat the operation for the second partition

click on Apply (the green check mark). You are warned: all data are going to be lost on this disk. Click on Apply.

you can then close gparted. Open a terminal and proceed to the encryption of the second partition. You can find its name with the command:

lsblk

In my case I get the following output:

NAME                             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                8:0    0 465.8G  0 disk  
├─sda1                             8:1    0   512M  0 part  /boot/efi
├─sda2                             8:2    0   488M  0 part  /boot
└─sda3                             8:3    0 464.8G  0 part  
  └─disk1                        254:0    0 464.8G  0 crypt 
    ├─usera--computer--vg-root   254:1    0    50G  0 lvm   /
    ├─usera--computer--vg-swap_1 254:2    0   976M  0 lvm   [SWAP]
    └─usera--computer--vg-home   254:3    0   410G  0 lvm   /home
sdb                                8:16   1   960M  0 disk  
├─sdb1                             8:17   1   500M  0 part  /media/usera/2ef6dc0b-e0a8-4095-a9d9-437a367ae12a
└─sdb2                             8:18   1   458M  0 part  /media/usera/76c9dcf2-6043-4f0a-8845-6218fd0bacbd

you can see that this command gives more details than gparted, especially since my encrypted disk is decrypted, and you can see the next level, three “sub partitions” hidden behind my encrypted disk, that correspond to my root partition (usera–computer–vg-root) containing my programs, my home partition (usera–computer–vg-home) containing my “normal” files and a swap partition (usera–computer–vg-swap) which is a special linux feature that allows to convert disk space into RAM when this resource is scarce. This parenthesis closed, I can identify the partition I want to encrypt: it is called sdb2 (in linux, disks are usually called sda, sdb, sdc…, and partitions in a disk called sda1, sda2, etc.).

To encrypt the second partition, let us install the cryptsetup tool, in case it is not already there on your computer. Open a terminal and enter:

sudo apt-get -y install cryptsetup

Then you can proceed with the encryption (careful: if the partition you want to encrypt has another name, change it accordingly):

sudo umount /dev/sdb2
sudo cryptsetup luksFormat /dev/sdb2

You need to enter 'YES' and then your strong passphrase two times.

WARNING: Device /dev/sdb2 already contains a 'ext4' superblock signature.

WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb2: 
Verify passphrase:

After a couple time (a bit more depending on the size of the partition), your partition is now encrypted.

you can now decrypt it with the following command:

sudo cryptsetup luksOpen /dev/sdb2 cryptodisk

you will be prompted with your passphrase. Now that your disk is decrypted, you can check that the command:

lsblk

gives a different result:

NAME                             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                8:0    0 465.8G  0 disk  
├─sda1                             8:1    0   512M  0 part  /boot/efi
├─sda2                             8:2    0   488M  0 part  /boot
└─sda3                             8:3    0 464.8G  0 part  
  └─disk1                        254:0    0 464.8G  0 crypt 
    ├─usera--computer--vg-root   254:1    0    50G  0 lvm   /
    ├─usera--computer--vg-swap_1 254:2    0   976M  0 lvm   [SWAP]
    └─usera--computer--vg-home   254:3    0   410G  0 lvm   /home
sdb                                8:16   1   960M  0 disk  
├─sdb1                             8:17   1   500M  0 part  /media/usera/2ef6dc0b-e0a8-4095-a9d9-437a367ae12a
└─sdb2                             8:18   1   458M  0 part  
  └─cryptodisk                   254:4    0   442M  0 crypt 
sr0                               11:0    1  1024M  0 rom

We will now prepare the two “sub partitions” that we talked about before. This is done with a system called LVM (Logical Volume Manager). It can be installed with the following command, if it is not already on your distribution:

sudo apt install lvm2

you will need to execute the following commands:

You first create what we call a “Physical Volume” for LVM out of the decrypted disk:

sudo pvcreate /dev/mapper/cryptodisk

then you create a “Volume Group” in this physical volume:

sudo vgcreate vgbackup /dev/mapper/cryptodisk

Then you create two “Logical Volumes” in the “Volume Group”. In your case, you want to replace “250M” in the command below with something like 1.5 times the size of your programs, something like 80GB should be enough. You would then enter “80G”.

sudo lvcreate -L 250M -n root vgbackup
sudo lvcreate -l 100%FREE -n home vgbackup

then you can check again the output of

lsblk

You can see that we have the right partitioning:

NAME                             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                                8:0    0 465.8G  0 disk  
├─sda1                             8:1    0   512M  0 part  /boot/efi
├─sda2                             8:2    0   488M  0 part  /boot
└─sda3                             8:3    0 464.8G  0 part  
  └─disk1                        254:0    0 464.8G  0 crypt 
    ├─usera--computer--vg-root   254:1    0    50G  0 lvm   /
    ├─usera--computer--vg-swap_1 254:2    0   976M  0 lvm   [SWAP]
    └─usera--computer--vg-home   254:3    0   410G  0 lvm   /home
sdb                                8:16   1   960M  0 disk  
├─sdb1                             8:17   1   500M  0 part  /media/usera/2ef6dc0b-e0a8-4095-a9d9-437a367ae12a
└─sdb2                             8:18   1   458M  0 part  
  └─cryptodisk                   254:4    0   442M  0 crypt 
    ├─vgbackup-root              254:5    0   252M  0 lvm   
    └─vgbackup-home              254:6    0   188M  0 lvm   
sr0                               11:0    1  1024M  0 rom

Then you need to create a “file system” in those “sub partitions”, or Logical Volumes:

sudo mkfs.ext4 /dev/mapper/vgbackup-root
sudo mkfs.ext4 /dev/mapper/vgbackup-home

this formatted those partitions with the filesystem called “ext4”, which is a default Linux filesystem.

In what we did, there are several levels of partitions that you need to know:

You can then close the LVM:

sudo vgchange -an vgbackup

and the luks container:

sudo cryptsetup luksClose cryptodisk

you can then follow the clonezilla guide to backup your whole image to an encrypted image stored in your unencrypted partition. Do not forget to tick the “encrypt your image” option, and secure it with a strong passphrase that you will remember.

Once this is done, you can do another backup of your /home, which contains all your regular files. For this you can use the software backintime. You can install it with:

sudo apt install backintime-qt

Before launching it, we need to decrypt the encrypted disk, and mount the logical volume we intend to use:

sudo cryptsetup luksOpen /dev/sdb2 cryptsetup
sudo vgchange -ay
sudo mount /dev/mapper/vgbackup-home /mnt

now everything written on /mnt on your computer will be written on your disk.

You can then launch backintime with:

sudo backintime-qt

you can then configure it to save things in /mnt:

And then click on “Take snapshot” and wait for it to finish:

you can then unmount and remove your backup disk:

sudo umount /mnt
sudo vgchange -an vgbackup
sudo cryptsetup luksClose cryptodisk

There are several ways a Linux distribution can be installed without encryption. Check the output of:

lsblk

Ideally, you should have on your laptop hard drive 2 or 3 partitions.

1. One of them should be the “ESP” partition which handles the “EFI” boot system (the mountpoint should be /boot/efi, the size below 1GB typically, and the filesystem should be fat32),
2. One of them will contain your root installation (the mount point should be /, the size should be most of the disk size and the filesystem should be ext4).
3. Optionally, you can have a separate ext4 partition for /home, that would then be much bigger than the / (something like 30GB-50GB is typical for /, the rest of the disk for /home),
4. Maybe a partition for swap,
5. Maybe an ext4 partition for /boot, which is typically around the same size as the EFI partition

If you have a /home or a /swap partition, we are going to ignore them for now. The setup you will need to make this work is:

1. The ESP (or EFI) partition
2. One partition for the /
3. One partition for the /boot

You most likely have the two first one. If you do not have the last one, you need to create one ext4 partition of roughly 500MB. You will need to shrink another partition for this, and you cannot shrink a partition that you are using, You will therefore need to boot from a live USB