This tutorial will show how to install Linux Mint 20 and Windows 10 in dual boot, where both the OSs are encrypted. It should also work for other Linux distros.
Warning: Do a backup. I am not responsible for the loss of your data or any inconvenience that might happen.
Requirements:
- Windows with Veracrypt installed.
- Unallocated space in your disk, for your Linux distro. It’s possible to create it during the installation.
- USB key with the bootable Linux distro that you want to install.
Linux installation
1) Insert the USB key and boot Linux.
2) Start the installer and proceed until you have to select the installation type, choose Something else.
3) Select the unallocated space, click on the + button and create a partition for the kernels, like in the picture. This partition is not encrypted. With a size of 500 MB, it will hold 4-5 kernels; make it bigger if you plan to have more kernels.
4) For BIOS + GPT user only: You’ll need to create a 1MB partition of type Reserved BIOS boot area.
5) Create the encrypted partition that will hold the OS and set up the password.
6) You will find the new encrypted partition at the top of the list, select it, click on the Change button and mount it as /, like in the image.
7) Click on Install Now and proceed with the installation.
8a) If you have Secure Boot enabled, you will be asked to select another password that you’ll need to insert after the reboot. Reboot, select Install MOK, insert the last password, and log in.
8b) If you don’t have Secure Boot enabled, simply reboot.
9) Now you have Linux encrypted.
Note: Windows and Linux store the time in different ways, so they are in conflict, don’t forget to fix that. For Ubuntu and derivatives, click here.
Windows encryption
Note: You can’t expand the Veracrypt volume after its creation, so choose wisely the size of the Windows partition.
1) Open Veracrypt and select the menu item like in the picture.
2) Select the normal type of installation.
3) Select Windows partition to encrypt.
4) Select the multi-boot option. If it’s not available, you need to follow this guide.
5) Select the algorithm for encryption; if you are unsure, leave the default one.
6) Choose a strong password for the volume.
7) Move the mouse inside the windows until the bar is full.
8) Create the file for the rescue disk. You will need it, for recovering the data in case something breaks. In that case, you’ll need to extract the file in a USB key or CD and boot the PC with it. After the creation, Veracrypt will ask you to prove that you can extract the file on a USB key or CD; unless you tick the Skip Rescue Disk verification.
9) Optional wipe of the data if you are worried about the trace left by the unencrypted data.
10) Now Veracrypt needs a reboot to test that everything works. It will also appear as a popup with the emergency instruction, and I strongly advise printing it.
11) After the successful reboot, open Veracrypt, print the other emergency instructions and click on Encrypt.
The boot entry should be the Linux one (ubuntu in my case); once you’re inside the Grub screen, you can select which OS to boot.
If you cannot select the boot order, you can change it using the command line tool efibootmgr, see Lifewire.
If you have an HP laptop, I suggest you deactivate the Windows entry because you can change the boot order; you can do it by following the instructions at the very bottom of Lifewire.
Note 1: It’s better to avoid Hibernation.
Note 2: Windows major update does not break anything.
Note 3: The Windows shutdown for updating will cause a reboot instead. The next boot will continue the update and then shut down automatically.
