--- tags: Tutorials --- # Secure Dual Boot: Full Disk Encryption on Linux and Windows with Shared Storage A step-by-step guide to setting up a dual-boot system with full disk encryption and seamless file sharing ## Introduction Setting up a dual boot system is relatively straightforward — until you decide to take security seriously. Enabling full disk encryption on both operating systems and keeping a shared data partition accessible across them introduces a new level of complexity. If your machine is ever lost or stolen, it’s not just hardware that disappears — it’s your personal or professional data. Full disk encryption greatly reduces this risk by making it nearly impossible to access your files without your credentials, even with direct physical access to the drive. Tools like BitLocker (on Windows) and LUKS (on Linux) provide robust encryption, but combining them in a dual-boot setup is far from plug-and-play. Default installers rarely guide you through such a scenario. This guide walks you through building a secure, flexible, and privacy-respecting setup: - **Dual booting** Linux and Windows - **Fully encrypted** system partitions on both sides - And a **shared data partition** accessible from both OS It’s designed for users who care about security but don’t want to give up the flexibility of using both environments on a single machine. ## Preparation Before jumping into system installs and partitioning, take the time to prepare things properly. A bit of planning now will save you hours later. ### Backup everything If you're working on an existing machine, back up all important data first — files, passwords, recovery keys, etc. We’re going to modify partitions and install encryption, which can easily wipe data if anything goes wrong. ### Hardware and firmware requirements Make sure your machine meets the following criteria: - **UEFI firmware** (not legacy BIOS): almost all modern machines use UEFI, and it’s required for BitLocker and secure boot setups. - **TPM 2.0** (Trusted Platform Module): needed for BitLocker to work without needing to enter a password on each boot. - **Enough disk space**: plan around 200–300 GB per OS, plus space for a shared partition. - **Secure Boot** can be left on or off, depending on your Linux distro. Ubuntu handles it well; others may require manual tweaks. ### Bootable USB tools You’ll need: - A USB key with at least 8 GB of space - A downloaded Linux ISO: In this guide, we'll use Ubuntu 24.04 LTS, but most steps can be adapted to similar distros. And a tool to create a bootable USB stick: - [Rufus](https://rufus.ie/en/) (recommended on Windows) - Startup Disk Creator (recommended on Ubuntu) ```bash apt install usb-creator-gtk ``` ## Windows Installation (optional) Installing Windows first is generally recommended — it tends to overwrite bootloaders and expects to control the disk. We'll install Linux after and restore dual boot properly. If your machine came with Windows pre-installed, you can skip the clean install, but you’ll **still need to shrink the main partition to make space.** ### Initial setup Once Windows is installed and running: - Run all available Windows updates (this avoids driver or TPM issues later). - Install missing drivers using [DriverCloud](https://www.driverscloud.com/) — run a detection and install what’s missing. ### Enable full-disk encryption (BitLocker) BitLocker is Windows' native full-disk encryption. You can enable it with or without a TPM: - If you have TPM 2.0, BitLocker can auto-unlock the drive on boot. - Without TPM, you can enable a password-based unlock via Group Policy. Once enabled: - Save the BitLocker recovery key in your password manager (e.g., Bitwarden). ### Shrink Windows partition To make space for Linux: - Open the Disk Management tool (diskmgmt.msc) - Right-click the main Windows partition (usually C:) and select Shrink Volume - Leave at least 100 GB unallocated (more if Linux will be your main OS) 💡 Example: On a 4 TB disk, you might allocate 250 GB to Windows and leave the rest for Linux and shared data — especially if Linux will be your main OS but you still need Windows occasionally. ### Create a shared data partition To create a data partition visible from both Windows and Linux: - Open Disk Management in Windows - In the unallocated space, create a new NTFS volume. - Give it a clear label, like `Storage`, to identify it easily from either OS. - Use this partition to store documents, projects, media, or configuration files that you want to access from both systems. 💡 Example: On a 4 TB disk, you might allocate around 3.25 TB to the shared data partition and leave the rest for Linux. ⚠️ Avoid using this partition for system files or user profiles — keep it for neutral, cross-platform storage only. ### Windows Pro tip Activate Windows Pro: You can find Windows 11 Pro licenses for less than $1 on some eCommerce sites, like [Cdiscount (France)](https://www.cdiscount.com/informatique/logiciels-a-telecharger/windows-11-pro-en-telechargement/f-1077604-mic0687903321113.html?idOffre=1643341508#mpos=0%7Cmp). 👉 I tested it myself — it’s an official license and works like a charm. ## Set up Ubuntu boot key Before leaving windows grab a USB key, download ubuntu LTS, and install Rufus, an utility to create bootable USB keys. Start Rufus, select you USB key as drive and Ubuntu as target ISO. Once your bootable USB key is ready, go to Windows setting sand search for Advanced startup options (in the same place as reset your PC). ## Install Ubuntu From the advanced startup menu, boot on the Ubuntu USB and start installation. > Sadly, the encrypted disk option is absent from the advanced partitioning tool, so we’ll need to do some extra work to get a fully encrypted setup with flexibility. Start by creating a full-disk encrypted LVM installation. Once Ubuntu is installed, follow this procedure to **shrink the encrypted volume** and free space at the end of the disk: ### Shrinking a LUKS + LVM Encrypted Volume (Ubuntu Live) - Boot from a Live Ubuntu USB (the one you just used to install Ubuntu) - Install required tools ```bash sudo apt update sudo apt install lvm2 cryptsetup ``` - Get encrypted partition identifier ```bash lsblk -o NAME,SIZE,TYPE,MOUNTPOINT ``` It should be something like `nvme0n1p3` whith `part` type and parent of `/` mountpoint - Unlock the LUKS volume ```bash sudo modprobe dm-crypt sudo cryptsetup luksOpen /dev/$ENCRYPTED_PARTITION luks-ubuntu ``` - Activate the LVM volume group ```bash sudo vgscan --mknodes sudo vgchange -ay ``` You should see something like: ``` Found volume group "ubuntu-vg" ``` - Check the logical volume path ```bash ls /dev/mapper ``` It should be something like `ubuntu--vg-ubuntu--lv` - Shrink the filesystem ```bash sudo e2fsck -f /dev/mapper/$LOGICAL_VOLUME_PATH sudo resize2fs /dev/mapper/$LOGICAL_VOLUME_PATH 500G ``` - Shrink the LVM logical volume ```bash sudo lvreduce -L 500G /dev/mapper/$LOGICAL_VOLUME_PATH ``` - Check filesystem again ```bash sudo e2fsck -f /dev/mapper/$LOGICAL_VOLUME_PATH ``` - Resize the encrypted partition in GParted - Launch GParted from the live session - Locate the LUKS partition - You can now resize it to fit the new reduced LVM size ## Subscribe to Ubuntu pro - Enable Ubuntu pro on your system - Login on https://login.ubuntu.com - Go to https://ubuntu.com/pro/dashboard - Copy and set token ## Set up an auto-mounted VeraCrypt-encrypted partition on Ubuntu - Restart your PC and log in your Ubuntu session - Install Veracrypt ```bash sudo add-apt-repository ppa:unit193/encryption -y sudo apt update sudo apt install veracrypt ``` - Use the VeraCrypt GUI to create a volume on a dedicated partition, formatted as `ext4` of `ntfs` when shared with windows. You should create a key file named `.storage.key` in your root directory `/root` - Restict `storage.key` permission to strict necessary ```bash sudo chmod 600 /root/.storage.key sudo chown root:root /root/.storage.key ``` - Get storage device UUID ```bash lsblk -o NAME,UUID ``` - Install ntfs-3g (optional: only if you use ntfs) ```bash sudo apt update sudo apt install ntfs-3g ``` - Configure auto-unlocking ```bash sudo vim /etc/crypttab ``` append this line `storage /dev/nvme0nxpy /dev/null tcrypt-veracrypt,tcrypt-keyfile=/root/.storage.key` - Configure auto-mounting ```bash sudo vim /etc/fstab ``` - append this line - `/dev/mapper/storage /home/your-user/Storage ext4 nofail,noatime,rw,auto 0 2` if your file system is `ext4` - `/dev/mapper/storage /home/your-user/Storage ntfs-3g nofail,noatime,rw,auto 0 2` if your file system is `ntfs` > `noatime` avoids unnecessary write operations, ideal for SSDs. > `nofail` ensures the boot process continues even if the disk is missing - Create the mount point: ```bash mkdir -p ~/Storage ``` - Check that the config is working properly: ```bash sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl restart systemd-cryptsetup@storage.service ``` - Backup your keyfile Store a copy of your keyfile on a **USB drive kept in a secure, offline location**. ⚠️ If you lose this key, **you will permanently lose access to your encrypted data**. - Encrypt the keyfile with a passphrase using GPG: ```bash sudo gpg --symmetric --cipher-algo AES256 /root/.storage.key sudo mv /root/.storage.key.gpg YOUR_BACKUP_DEVICE/.storage.key.gpg ``` To restore the keyfile later: ```bash gpg --output ./test.key --decrypt YOUR_BACKUP_DEVICE/.storage.key.gpg ``` ## Move Home Folders to `~/Storage` - Set Ownership ```bash sudo chown -R marc-gavanier:marc-gavanier ~/Storage ``` - Create the New Folder Structure ```bash mkdir -p ~/Storage/{Books,Desktop,Documents,Downloads,Games/Steam,Music,Pictures,Public,Templates,Videos,Workspace} ``` - Remove the Default Folders from Your Home ```bash rm -rf ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Public ~/Templates ~/Videos ``` - Create Symlinks to Point Back to `~/Storage` ```bash ln -s ~/Storage/Books ~/Books ln -s ~/Storage/Desktop ~/Desktop ln -s ~/Storage/Documents ~/Documents ln -s ~/Storage/Downloads ~/Downloads ln -s ~/Storage/Games ~/Games ln -s ~/Storage/Learning ~/Learning ln -s ~/Storage/Music ~/Music ln -s ~/Storage/Pictures ~/Pictures ln -s ~/Storage/Public ~/Public ln -s ~/Storage/Templates ~/Templates ln -s ~/Storage/Videos ~/Videos ln -s ~/Storage/Workspace ~/Workspace ``` ## Extras - Wallpaper - `sudo apt update && sudo apt upgrade` - `sudo apt install ubuntu-restricted-extras` - `gsettings set org.gnome.shell.extensions.dash-to-dock click-action 'minimize'` - `sudo ufw enable` - `sudo ufw default deny incoming` - `sudo ufw default allow outgoing` - `sudo ufw status verbose` - `sudo apt install gnome-shell-extension-manager` - `sudo apt install synaptic` ## Usefull Commands #### List all system properties `sudo inxi --admin --verbosity=7 --filter --no-host --width` #### List all pacman installed packages `sudo pacman -Qqe` #### Boot from USB when grub does not load properly ```bash ls ``` ```bash # Replace X and Y with values from ls set root=(hdX,msdosY) ``` ```bash chainloader /efi/boot/grubx64.efi ``` ```bash boot ``` ## Softwares Do not install snap from Ubuntu App center, because it is not compatible with GNOME theme. Instead always prefer download instruction from editor website. ### Firefox https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions ### Bitwarden > Do not install app, only use extension in firefox ### PAM U2F ```bash sudo apt update sudo apt install libpam-u2f ``` #### Set up config file ```bash mkdir -p ~/.config/Yubico pamu2fcfg > ~/.config/Yubico/u2f_keys # Touch YubiKey ``` #### Activate YubiKey for `sudo` commands ```bash sudo nano /etc/pam.d/sudo ``` Add `auth required pam_u2f.so` at the begining #### Activate YubiKey on user login ```bash sudo nano /etc/pam.d/gdm-password ``` Add `auth required pam_u2f.so` *before* `@include common-auth` ### CURL ```bash sudo apt update sudo apt install curl ``` ### Vim ```bash sudo apt update sudo apt install vim ``` ### Color picker ```bash sudo apt update sudo apt install gcolor3 ``` ### Brave https://brave.com/linux/#release-channel-installation ### Thunderbird ```bash sudo add-apt-repository ppa:mozillateam/ppa sudo nano /etc/apt/preferences.d/mozillateamppa ``` Paste: ``` Package: thunderbird* Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 Package: thunderbird* Pin: release o=Ubuntu Pin-Priority: -1 ``` ```bash sudo apt update sudo apt install thunderbird ``` ### Signal https://signal.org/download/# ### Mattermost https://docs.mattermost.com/deploy/desktop/linux-desktop-install.html ### ExpressVPN https://www.expressvpn.com/latest#linux ### Discord https://discord.com/download ```bash sudo apt update sudo apt install ~/Downloads/discord*.deb ``` ### Libre office ```bash sudo apt update sudo apt install libreoffice ``` ### Document Scanner ```bash sudo apt update sudo apt install simple-scan ``` ### Zed https://zed.dev/docs/getting-started#linux ### VS Codium https://vscodium.com/ (Install on Debian / Ubuntu (deb package):) ```bash sudo apt update sudo apt install codium ``` ### VLC ```bash sudo apt update sudo apt install vlc ``` ### Inkscape ```bash sudo apt update sudo apt install inkscape ``` ### The Gimp ```bash sudo apt update sudo apt install gimp ``` ### Blender ```bash sudo apt update sudo apt install blender ``` ### Postgres tools ```bash sudo apt update sudo apt install postgresql-client ``` ### Audacity ```bash sudo apt update sudo apt install audacity ``` ### Kdenlive ```bash sudo apt update sudo apt install kdenlive ``` ### Transmission ```bash sudo apt update sudo apt install transmission ``` ### Calibre ```bash sudo apt update sudo apt install calibre ``` ### Dotnet framework ```bash wget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb rm packages-microsoft-prod.deb sudo apt-get update sudo apt-get install -y dotnet-sdk-9.0 sudo apt-get update sudo apt-get install -y aspnetcore-runtime-9.0 sudo apt-get install -y dotnet-runtime-9.0 ``` ### Godot https://godotengine.org/download/linux/ Select Godot Engine – .NET ### Steam https://store.steampowered.com/about/ ```bash sudo apt update sudo apt install ~/Downloads/steam_latest.deb ``` ### Timeshift Backup file system (2/month) ```bash sudo apt update sudo apt install timeshift ``` ### Git ```bash sudo apt update sudo apt install git-all ``` ### fnm ``` curl -fsSL https://fnm.vercel.app/install | bash fnm install --lts ``` ### Unity Hub (deprecated) #### Install App Image ```bash sudo apt-get install ffmpeg ``` ```bash mkdir ~/.local/bin/ && cd $_ ``` ```bash wget https://public-cdn.cloud.unity3d.com/hub/prod/UnityHub.AppImage chmod +x UnityHub.AppImage ``` ```bash ./UnityHub.AppImage ``` #### Set Icon ```bash mkdir ~/.local/share/icons/ && cd $_ ``` ```bash wget https://unity.com/themes/contrib/unity_base/images/favicons/safari-pinned-tab.svg -O unity-logo.svg ``` ```bash mkdir ~/.local/share/applications/ && cd $_ ``` ```bash echo "[Desktop Entry] Name=Unity Hub Icon=/home/${USER}/.local/share/icons/unity-logo.svg StartupWMClass=unityhub Comment=Manage multiple installations of the Unity Editor, create new projects, and access your work. Exec="/home/${USER}/.local/bin/UnityHub.AppImage" %u Version=2.4.6 Type=Application Categories=Development;IDE; Terminal=false StartupNotify=true" > unity-hub.desktop ``` ### JetBrains Toolbox wget -cO jetbrains-toolbox.tar.gz "https://data.services.jetbrains.com/products/download?platform=linux&code=TBA" tar -xzf jetbrains-toolbox.tar.gz DIR=$(find . -maxdepth 1 -type d -name jetbrains-toolbox-\* -print | head -n1) cd .. rm -r $DIR rm jetbrains-toolbox.tar.gz ### P4merge ```bash sudo apt-get install --reinstall libxcb-xinerama0 ``` ```bash cd ~/Downloads # Replace X, Y and Z by the latest version form: # https://www.perforce.com/downloads/visual-merge-tool wget https://cdist2.perforce.com/perforce/rX.Y/bin.linuxZx86_64/p4v.tgz ``` ```bash tar zxvf p4v.tgz ``` ```bash sudo mkdir /opt/p4v # Replace X, Y and Z by the version in the extracted directory name: cd p4v-X.Y.Z sudo mv * /opt/p4v sudo ln -s /opt/p4v/bin/p4merge /usr/local/bin/p4merge ``` ### Bruno API Client ``` sudo apt update sudo apt install dirmngr curl wget gnupg -y sudo mkdir -p /etc/apt/keyrings sudo wget -qO- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x56333D3B745C1FEC" | sudo gpg --dearmor -o /etc/apt/keyrings/bruno.gpg echo "deb [signed-by=/etc/apt/keyrings/bruno.gpg] http://debian.usebruno.com/ bruno stable" | sudo tee /etc/apt/sources.list.d/bruno.list sudo apt update sudo apt install bruno ``` ### ZSH sudo apt install zsh chsh -s $(which zsh) sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" sudo apt-get install fonts-powerline ### Docker sudo apt-get remove docker docker-engine docker.io containerd runc sudo apt-get update sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io sudo docker run hello-world // run hello-world container to test ### Gnome tweaks ```bash sudo apt update sudo apt install gnome-tweaks ``` ### Gnome shell extensions manager - `sudo apt install gnome-shell-extensions gnome-shell-extension-manager` - Open `extension-manager` - Search and install - Dash to Panel - Enter settings - Swith to `About` tab - Import config file from: https://gist.github.com/marc-gavanier/36c7d5a42667c0de30fda27c523d8107 - Date Menu formatter - Enter settings - Set Pattern to `HH:mm\ny-MM-dd` - Use your custom locale, eg: `fr-FR` ### Cursor style - Go to https://www.gnome-look.org - Search `Vimix` or `Breeze` cursors - Make it available to all users: ```bash sudo cp -pr $CURSOR_FOLDER_NAME /usr/share/icons/$CURSOR_FOLDER_NAME ``` - Use GNOME Tweaks to set cusror theme via Appearance menu ### Accounts connected with YubiKey - AWS main X - Bitwarden main X - Coinbase main X - Discord main X - GitHub main X - GitLab main X - Google main X - ProtonMail main X