Dual Boot elementary OS and Windows with Full Disk Encryption
Howto dual boot Windows alongside elementary OS with full disk encryption enabled for both operating systems.
Last updated
Was this helpful?
Howto dual boot Windows alongside elementary OS with full disk encryption enabled for both operating systems.
Last updated
Was this helpful?
BE AWARE: For this approach to work, we need an *un-*encrypted boot partition. This still allows for some attacks to work such as the . But the primarily goal here is to protect your data against physical theft - not a coup executed by a 3-letter-organisation.
MAKE BACKUPS: When following this guide you will loose everything which is currently stored on your hard drive. So make sure you have backups of the data you want to keep!
We will need to boot into Windows and elementary OS multiple times during this setup. Therefore it is recommended to create a dedicated installation media for each operating system.
Download the elementary OS *.iso from https://elementary.io
The following applies if you are already on elementary OS. If not, please search for a corresponding guide for your current operating system:
Download the Windows 10 *.iso from https://www.microsoft.com/software-download/windows10
Download the latest WoeUSB release (woeusb-x.y.z.bash) from https://github.com/WoeUSB/WoeUSB/releases
Make sure woeusb-*.bash and Win10_*.iso are stored in ~/Downloads
Make WoeUSB executable: chmod +x ~/Downloads/woeusb-*.bash
Plugin the USB stick you want to overwrite
Figure out the device name of the USB stick by executing sudo fdisk -l from Terminal (in my case its /dev/sda)
Create the Windows 10 USB stick: sudo ~/Downloads/woeusb-*.bash --device ~/Downloads/Win10_*.iso /dev/sdX
Done.
While this step is optional, it is highly recommended to wipe the entire hard drive before starting the setup. This ensures your complete hard drive is filled with random data, which makes it much harder to decrypt your data once you're done setting everything up. It also makes sure, you don't have any remainings of a (potential) previous install on your hard disk.
To do so, we boot elementary OS in Demo Mode:
Boot from elementary OS USB stick
After the installer starts:
Select your language
Select your keyboard layout
On the "Try or Install" step, choose "Try Demo Mode" and confirm
Once elementary OS is booted, start "GParted" from the Applications Menu.
In GParted:
Delete all available partitions
Create a new partition which occupies the entire hard disk (just use the default file system) 6 . Click "Apply All Operations". You should end up with one partition
In my case the partition device is named /dev/nvme0n1p1.
Since we are going to create encrypted LUKS containers, we need to boot elementary OS in Demo Mode to do the partitioning:
Boot from elementary OS USB stick
After the installer starts:
Select your language
Select your keyboard layout
On the "Try or Install" step, choose "Try Demo Mode" and confirm
IMPORTANT: There's currently no easy way to make grub work with an encrypted partition. Therefore make sure /boot and /boot/EFI are their own partitions and are not encrypted.
Once elementary OS is booted, start "GParted" from the Applications Menu. Then in GParted:
Delete all already existing partitions and click Apply All Operations
Create a new GPT partition table (required for EFI):
Device > Create Partition Table
Select new partition table type: gpt
Click Apply
Create the following partitions:
550 MiB FAT32 (for /boot/EFI)
1 GiB EXT4 (for /boot)
300 GiB NTFS (for Windows)
Leave any remaining space unallocated
Windows will add another 16 MiB partition upon its installation, therefore we create the partition for elementary OS later on
Click Apply All Operations
Mark FAT32 partition as EFI:
Right click on the FAT32 partition
In the context menu, click Manage Flags
In the new window, enable esp (this also enables boot)
Click Close
Now we are ready to install Windows!
Boot from the Windows USB stick
Install Windows to the partition you created in step 2.2.3
Complete the initial setup of Windows 10
Next, we are going to enable Windows Device Encryption (BitLocker):
Once Windows is started, open Manage BitLocker from the start menu
Click Turn BitLocker on to enable encryption for your Operating system drive
Perform the following steps to enable encryption in the BitLocker assistant:
Preparing your drive for BitLocker: Click Next
BitLocker Drive Encryption Setup: Click Next
How do you want to back up your recovery key?
Click Print the recovery key
Save the recovery key as PDF to your desktop
Click Next
Activate BitLocker: Click Activate BitLocker
At this point, you could install additional drivers etc. But I recommend to setup elementary OS first, because if something goes wrong you'll need to start all over again.
Since we are going to create encrypted LUKS containers, we need to boot elementary OS in Demo Mode:
Boot from elementary OS USB stick
After the installer starts:
Select your language
Select your keyboard layout
On the "Try or Install" step, choose "Try Demo Mode" and confirm
Next, we are going to create the encrypted LUKS partition where we are going to install elementary OS into in GParted:
Start "GParted" from the Applications Menu in elementary OS
Create a single partition with all of the remaining unallocated space - this will become the encrypted LUKS container containing all data of elementary OS
the file system doesn't matter yet, just use the default one
Click "Apply All Operations" and you'll end up with a new partition
In my case the partition device is named /dev/nvme0n1p6.
Start "Install elementary OS" from the Applications Menu in elementary OS Demo Mode
Confirm Logout
Select your language
Select your keyoard layout
Select Custom Install (Advanced)
To make things bootable, we need to assign the /boot/uefi and /boot mount points. Those will be stored in the first two partitions we created in 2.1.3 on the non-encrypted, physical hard drive:
Click on the 550 MiB fat32 partition on the non-encrypted, physical hard drive:
Enable Use Partition
!! DON'T Format !!
Use as: Boot (/boot/efi)
Filesystem: fat32
Click on the 1 GiB ext4 partition on the non-encrypted, physical hard drive:
Enable Use Partition
Enable Format
Use as: Custom
Custom: /boot
Filesystem: Default (ext4)
Now we unlock the encrypted partition to install elementary OS into it:
Click on the encrypted LUKS partition:
Password: Enter the previously chosen LUKS password
Device name: elementary
You should now see a second device in the installer which resembles the previously created LUKS container with its LVM volume(s).
Click on the LVM volume:
Enable Use Partition
Use as: Root (/)
Filesystem: Default (ext4)
!! Double Check Everything - any mistakes at this step and you have to start all over !!
Once you are sure everything is correct, click Erase and install
After the installation is complete, your computer is restarted. At this point the bootloader (GRUB) should now allow you to choose whether you want to boot elementary OS or Windows:
Select Elementary
A password prompt should appear, which asks you to Please unlock disk elementary
Enter the previously chosen LUKS password
Complete the Initial Setup of elementary OS
At this point you want to test if your Windows 10 is still working. It will probably prompt you to enter the recovery key because the elementary OS installation changed the boot partition. If so, simply enter the recovery key and Windows boots just fine.
Congratulations! You successfuly setup dual boot between elementary OS and Windows along with full disk encryption!
Follow the instructions in the elementary OS to create the Install Drive
Install WoeUSB dependencies for Ubuntu,
At this point we need to fall back to the Terminal, because GParted is . Open the Terminal and run the following commands:
PLEASE NOTE: Windows did not recognize my hard disk during install on a Dell XPS 9310. The solution was to change the BIOS setting Storage Type from RAID to AHCI/NVMe (see for more information about this setting).
IMPORTANT: Backup the recovery key PDF somewhere save outside your encrypted Windows partition! Because due to BitLocker using TPM to unlock your drive, certain things such as a BIOS upgrade, can cause the TPM to not release the unlock-key and force you to provide the recovery key (see ).
At this point we need to fall back to the Terminal, because GParted is . Open the Terminal and run the following commands:
If you like my work, . It would mean the world to me!
Credits go to and for their work on this fabulous step by step guide:
