This site is no longer being maintained so anything below could still be accurate, or very outdated.

Step 1 - Noise Fill

Choose OpenSSL or urandom.

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy

sudo dd if=/dev/urandom of=/dev/sdxy bs=4096

Step 2 - Basic Partitioning

Open GParted from the menu or Dash and create your partitions. A legacy BIOS boot area of 300MB is sufficient to hold 3 kernels and 300MB is usually recommended for the EFI space.

Step 3 - Cryptsetup

cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy

cryptsetup luksOpen /dev/sda2 root

cryptsetup luksOpen /dev/sda3 swap

cryptsetup luksOpen /dev/sda4 home

mkfs.ext4 /dev/mapper/root

mkfs.ext4 /dev/mapper/home

mkswap /dev/mapper/swap

Step 4 - Installation

Begin installation. At the Installation Type menu, choose Something else, then Continue.

Assuming the boot or EFI partition is /dev/sda1, select it. Click Change, choose ext4 (or FAT32 for EFI), assign it the mount point of /boot, click OK. Don't format the partition.

Select /dev/mapper/root, click Change. Select ext4 and set mount point to /.

Do the same for /dev/mapper/home, mounting at /home, and selecting swap area for /dev/mapper/swap. Don't format any of these.

"Device for boot loader installation" should be /dev/sda.

When finished, choose Install Now. When warned about root not being marked for formatting, choose Continue.

Step 5 - Continue Live Session

When given the choice to reboot or continue testing, choose Continue Testing.

Step 6 - chroot

sudo -i

cd /mnt

mkdir root

mount /dev/mapper/root root

mount /dev/sda1 root/boot

chroot root

mount -t proc proc /proc

mount -t sysfs sys /sys

Step 7 - crypttab

Still in chroot.

nano /etc/crypttab

Open a second terminal and:

sudo blkid

Find the UUIDs for root, home and swap which say crypto_luks at the end. The one you want for swap will NOT be the one which just says swap. Paste the UUIDs into crypttab in the chrooted terminal.

Step 8 - Fix Hibernate

Still in chroot.

echo 'RESUME=/dev/mapper/swap' > /etc/initramfs-tools/conf.d/resume

Update initramfs and exit chroot.

update-initramfs -u


Step 9 - LUKS Header Backup

Dump the header files to root's home folder. Then exit root terminal.

cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/partition_name.img


Once booted, you can view the header with:

sudo cryptsetup luksDump /dev/sdxy