Encrypting your system is very important for keeping your private information safe, especially on laptops that could get lost or stolen. While Ubuntu lets you encrypt your system during installation, you might want to encrypt a system that is already set up. This guide will show you how to encrypt an existing Ubuntu 24.04 system in a step-by-step guide.
⚠️ WARNING: This process involves working with disk partitions and system files, which can be risky. You could lose your data, so make sure to back up your entire system before starting. This isn’t just a suggestion – it’s something you must do.
What You’ll Need
- A full backup of your entire system
- A Ubuntu Live USB drive (version 24.04)
- At least 50% free space on your drive for temporary storage
- A stable power source (if you’re using a laptop, plug it in)
- 2-3 hours of uninterrupted time
- Basic knowledge of Linux commands and working with disks
How It Works
Encrypting an existing system involves a few important steps:
- Creating a backup section
- Moving current data to the backup section
- Setting up encryption on the main section
- Moving data back to the encrypted section
- Setting up the system to start with encryption
Step 1: Getting Ready and Making a Backup
1.1 Make a Full System Backup
First, save a copy of your entire system to an external drive. Here’s a simple way to do it using rsync:
sudo rsync -aAXv / --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /path/to/backup1.2 Check Your Current Storage Layout
Before moving forward, check how your storage is divided:
sudo fdisk -l
sudo lsblkStep 2: Start from a Live USB
The encryption process needs to be done from a live system:
- Insert your Ubuntu Live USB
- Restart your computer and start from the USB
- Choose “Try Ubuntu” instead of “Install”
Step 3: Get the System Ready for Encryption
3.1 Install Needed Tools
Once you’re in the live system, install the tools you’ll need:
sudo apt update
sudo apt install cryptsetup lvm2 gparted3.2 Create Temporary Storage
Use GParted to make space for temporary storage by shrinking your current partition:
- Open GParted: Type
sudo gpartedin the terminal. - Choose your main drive.
- Right-click on your main partition.
- Click “Resize/Move.”
- Reduce the size of the partition to free up space (make sure it’s at least as big as your data).
- Create a new partition in the empty space.
- Apply the changes.
Step 4: Set Up Encryption
4.1 Prepare the Encryption Container
Replace sdXY with your actual partition (for example, sda1):
sudo cryptsetup luksFormat /dev/sdXY
sudo cryptsetup luksOpen /dev/sdXY encrypted_ubuntu
sudo mkfs.ext4 /dev/mapper/encrypted_ubuntu4.2 Mount and Copy Data
sudo mount /dev/sdXY /mnt/original
sudo mount /dev/mapper/encrypted_ubuntu /mnt/encrypted
sudo rsync -aAXv /mnt/original/ /mnt/encrypted/Step 5: Configure the System for Encrypted Boot
5.1 Update System Settings
Edit the crypttab file to add your encrypted partition:
sudo nano /mnt/encrypted/etc/crypttabAdd this line to the file:
encrypted_ubuntu UUID=your-uuid none luksTo find the UUID, use this command:
sudo blkid /dev/sdXY5.2 Update GRUB Settings
sudo mount --bind /dev /mnt/encrypted/dev
sudo mount --bind /proc /mnt/encrypted/proc
sudo mount --bind /sys /mnt/encrypted/sys
sudo chroot /mnt/encrypted
update-initramfs -u
update-grub
grub-install /dev/sdXStep 6: Final Steps
6.1 Check Your Settings
Before restarting, make sure these files are correct:
/etc/crypttab/etc/fstab/boot/grub/grub.cfg
6.2 Restart and Test
Restart your computer. After rebooting, you should see prompts for:
- The LUKS password to unlock your encrypted drive
- Your regular login details
Also Read: Ways To Install Python 3.13 on Ubuntu and Other Linux Distros
Troubleshooting Common Problems
Computer Won’t Start
If your computer doesn’t start:
- Start the computer using the Live USB again.
- Open and unlock your encrypted storage.
- Look at the logs in the
/var/log/folder. - Check the settings in the
crypttabandfstabfiles.
Slow Startup
If your computer takes a long time to start:
sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash no_timer_check"Performance Tips
Using full disk encryption can slow things down a bit:
- Reading and writing files might be 5-15% slower.
- Starting the computer takes longer because of the decryption process.
- The CPU might work harder when doing lots of disk tasks.
Security Tips
- Use a strong password (20 or more characters).
- Save a backup of the LUKS header (important for encryption):
sudo cryptsetup luksHeaderBackup /dev/sdXY --header-backup-file luks-header-backup.img - Keep the backup in a safe place, like a different device.
- Add a second password as a backup in case you forget the first one.
Extra Tips
Adding More Passwords
To add another password, use this command:
sudo cryptsetup luksAddKey /dev/sdXYChanging Passwords
To change your password, use this command:
sudo cryptsetup luksChangeKey /dev/sdXYFinal Thoughts
Encrypting an existing Ubuntu system is a challenging but important step to protect your data. Although the setup process takes time and requires focus, the security it provides is worth it. Make sure to:
- Always keep backups up to date
- Store your encryption passwords in a safe place
- Save a backup of your LUKS header
- Test your system carefully after encrypting it
With the right setup and care, an encrypted system offers strong data protection without affecting your daily tasks. For even more security, you can combine full-disk encryption with home folder encryption and secure boot.
Note: This guide explains basic full-disk encryption. If you need advanced setups or have specific security needs, check Ubuntu’s security guides or talk to a security expert.
