Support my work ♥

Debian 12 with KDE or Kubuntu 22.04 LTS Full Disk Encryption with LUKS2 and Windows 11 Dual-Boot

I assume you already have a USB drive with the regular Debian 12 or Kubuntu image flashed directly on it. Having it as a file on the drive will most probably not work unless you have a special setup on that stick.

If not, you can do this step from the existing Windows 11 installation with a tool like Rufus.

Shrink the Windows C:\ drive

On my machine the internal drive is 1TB in size. Windows is known for its hunger for space, so I reduced it to 220GB.

In the start menu type "Computer Management" and launch as Administrator. Then under the "Disk Management" find the C drive and shrink it so that it remains roughly 220GB (or more depending on your needs) in size and hit apply.

Doing this on an alreay used drive takes more time than on a fresh one so grab a tea.

Install the latest firmware

Especially the BIOS, TouchPad, Chipset and the WiFi/WLan adapter firmware updates contain critical fixes. Some are security relevant, others just prevent crashes.

Some (Samsung) SSDs need firmware updates too so they don't burn out, best to install all the updates.

Prepare the BIOS/UEFI

First we must enable the "3rd party CA" or "partner keys" in the UEFI so we can boot from the USB stick that holds the normal image.

Alternatively, one could also either add the Linux Boot Keys specifically or simply disable Secure Boot.

Video Memory

With integrated AMD or Intel graphics the BIOS usually has an option for the initial VRAM split. On my AMD system increasing the default value from 128MB to 2GB makes animations smooth and allows me to play games.

My Intel machine has a maximum of 256MB, the animations are smooth too so I assume they make that adjustment in the driver at runtime.

Boot in "Try Kubuntu" mode

This allows us to execute any program like the shell that we need.

Start the setup and set your favorite keyboard layout and timezone. Connect to cable ethernet or WiFi to fetch updates automatically during the installation later and lookup things like this guide.

When the setup asks you to reformat the whole disk, go to the next step.


From the start menu, open partitionmanager and add a 2GB partition formatted with ext2.

Then add a second partition that uses all the space and format it with lvm2 pv and check the enable encryption checkbox, call it crypto-root or something not too generic.

Enter your disk encryption password here.

Important: if you forget that password all your data is lost forever.

Important 2: if you share said password all your data is potentially compromised.

If everything looks good hit apply and take a sip of tea.

Open the encrypted container if it is not open already.

Encrypted partitions / logical volumes

First, open a Terminal and type sudo -i (and press Enter to execute) to become root. Now you don't have any restrictions and can do a lot of good as well as destroy your whole machine. ⚖️

First we need to add a volume group consisting of the space we just allocated that we name crypto-vg or something:

vgcreate crypto-vg /dev/mapper/crypto-root

Use the vgs command or vgdisplay to confirm the size.

Logical partitions

Now it is time to add a SWAP partition. This one should be at least the size of your RAM for suspand-to-disk aka. hybernation up to double that. I choose double the memory because I might upgrade my RAM in a year or two and I don't want to repartition then:

lvcreate --size 64GB crypto-vg

Finally we create the logical partition that will hold our OS and data:

lvcreate --extends 100%FREE crypto-vg

Note that we did not format any partition yet, the installer will do that for us.

Installing the operating system

Back in the installer we choose "custom partitioning" and click next.

In the next dialogue we should find all the physical and logical partitions:

  • Ignore the Windows or Bitlocker as well as the EFI and Recovery partitions
  • Pick the 2GB ext2 partition and use it as /boot
  • Select the 64GB partition with the long name as SWAP with the SWAP filesystem
  • Select the huge partition with the long name as / with the btrfs filesystem

Let the installer reformat the 2GB /boot partition if it asks.

Now continue with the normal setup.

When it starts to install software or updates change back to the terminal and continue while it runs in the background.

Configuring the unlock screen

Without this screen the system will boot half and then be stuck. It is absolutely possible to contine the boot by manually unlocking the partition, but is clumbsy and we would have to type the cryptsetup command everytime.

Instead we are storing the UUID of our container in a special file: /target/etc/crypttab. This file has the following format:

label UUID=... none luks,discard

Now we need the actual UUID to replace the ... that we can get from this command:

blkid | grep LUKS

Copy the parts between UUID=" and " withouth the " and we are done. In the end the line you add should look like this, where none means that the boot loader should ask for your password:

kryptoWurzel  UUID=abcdef01-2345-6789-abcd-ef0123456789 none discard,luks

discard is for SSDs and luks because we use a LUKSv2 container.

Updating the initramfs aka. boot system

Sadly, the installer is not considering our shiny new crypttab file and we have to a final touch.

First we have to verify that the /proc filesystem is still mounted in the /target/proc. If not, bind mount it like this:

mount --bind /proc /target/proc

When the installer is on the last page, go back to the terminal and type this:

chroot /target /bin/bash

You are now inside the new installation and everything should be mounted correctly already. Now we can regenerate the initramfs with this command:

update-initramfs -c -k all

Once that is through type exit + Enter to close each layer in the terminal.

Now we tell the installer to reboot the system.

After the BIOS splash screen we should be greeted by GRUB that allows us to choose between Kubuntu Linux and Windows 11.

And finally the unlock screen for the full disk encryption (FDE) is the confirmation that everything worked. After entering your personal password the system behaves normally and everything works just like always but is more secure than without the encryption.

Congratulations and enjoy your tea.