Dual-Boot with Windows 11 and BitLocker

Question

I want to setup a dual-boot of Ubuntu with Windows 11. Currently I am using Microsoft account and BitLocker is ON. Do I have to do anything to be able to successfully setup the dual-boot? Or it is straightforward and I just proceed with the Ubuntu installation?

Answer 1

I just had the same problem with my work Laptop and I successfully set up a dual boot with both OSes being fully encrypted without the need to change anything in the Windows installation (no disabling of BitLocker needed). It also works with the new Ubuntu 24.04 installer. I tested with 22.04 and 24.04.

The guide might look complex, but it is just very detailed and only very easy and understandable commands are used. (I hope so ;)). I exactly followed this guide myself and it worked for me with my fresh Windows 11 BitLocker encrypted on my Laptop.

In the guide, when I provide commands to execute, they use the partition numbers that are often used in new Windows Laptops. Always double check that this is the same for you or change the partition numbers such that it fits your setup. You can always use lsblk to double check your partition names and numbers :)

Here is the guide that I wrote for my coworkers:

Goal

This dual boot guide has two nice features which you normally don't get with "normal" dual boot setups

1. We don't change the Windows installation at all. In normal dual boot setups, the Grub bootloader is installed to the same EFI partition that is also used by the Windows bootloader. However, in this setup, we create our own second totally independent EFI partition, where we install Grub to. This is a nice feature of UEFI systems, and it results in two totally independent bootloaders. No change to Windows at all. Moreover, there is no need to disable Bitlocker at any moment.
2. We will fully encrypt our Ubuntu installation by using an LVM/LUKS setup. The nice part here is that this is normally only possible by completely erasing the Windows installation, due to a limitation in the Ubuntu- (and also other Linux-) installers. But here you will find a guide to manually achieve this setup without altering the Windows installation. This is important to achieve full-disk encryption, which is crucial!

Windows Preparation

• Start with your Laptop booted to Windows
• Store your BitLocker recovery key somewhere, like on your phone in a password manager or so. Ask your admin if you dont know it or follow this microsoft guide
  • You will need it later again to unlock Windows
  • Normally the key is stored in TPM but when adjusting something in UEFI you have to enter it again
• In Windows open the search bar and search for disk management
  • And shrink your BitLocker encrypted partition as much as possible/desired
  • I got 700 GB free of my 1 TB

BACKUP

NOW TAKE A BACKUP! Definitely take a full-disk backup of your laptop via clonezilla.

• Still in Windows, prepare another USB stick with clonezilla, follow their guide to create a bootable clonezilla USB stick
• You will also need an external drive which is large enough to hold the shrinked Windows partition, in my case at least 300 GB
  • Here it is good if you already shrinked your drive since it is encrypted and needs to be back upped as a whole, so less space needed on external drive if it is smaller
• Now do a reboot (don't do a shutdown, you will not be able to enter UEFI)
  • press the respective key to go to UEFI menu, and then manually boot the live USB stick with Clonezilla
• In clonezilla
  • save as device to image
  • local device
    • use the external drive as the destination to store the image
  • Beginner mode
  • and save the full disk
  • and select your nvme0n1 as the source
  • just continue and you will have a full disk backup as an image on your external drive
• Now you can boot back to Windows

Ubuntu USB Stick Preparation

• Download Ubuntu and use your USB stick to create an Ubuntu live USB stick now
  • Some imaging tools have problems if the USB stick is not formatted with GPT beforehand, so better do this to erase MBR section on USB stick
• Create another partition in the free space of the USB stick at the end as FAT32
  • This is not possible, if MBR header is still present on USB stick
• You can use this partition to store things that you want to have on your fresh Ubuntu once it is installed. And we also need this one to store temporarily an EFI partitions data.
• Eject the USB Stick
• And do a reboot again to go into Ubuntu

Ubuntu installation

• Outline:
  • We will do an unencrypted Ubuntu installation first
    • This is necessary at first since we cannot directly create an encrypted installation without erasing the whole Windows installation
    • So we have to do the encryption manually afterward
  • Then we will change the unencrypted installation to a fully encrypted installation with LVM and LUKS
    • This leads to a bit more complex installation procedure but is the only way available since Ubuntu's installer is very limited in its "something else" method where you can specify your desired partition needs

1. Unencrypted installation

• Select your Language and keyboard
• In the Updates section, I also enabled third-party software and entered a temporary password for secure boot
• Now before proceeding by clicking on the "something else" method in the installation screen, we want to backup again the content of our EFI partition which contains the Windows bootloader
  • Open a terminal with ctr+alt+t
  • Become root sudo -i
  • lsblk to list all devices
  • Mount the persistent vfat partition on our USB stick
    • mkdir /mnt/persistent && mount /dev/sda4 /mnt/persistent
    • mkdir /mnt/persistent/efi-backup
  • Mount the Windows bootloader partition
    • mkdir /mnt/efi && mount /dev/nvme0n1p1 /mnt/efi
  • Backup all the data on it, and make sure to correctly execute rsync as shown here (with trailing slashes):
    • rsync -avS /mnt/efi/ /mnt/persistent/efi-backup/
  • Now we delete the content on the efi partition (don't be scared, we will copy it back later)
    • rm -rf /mnt/efi/*
  • Umount again the efi partition
    • umount /mnt/efi
    • umount /mnt/persistent
• Now choose something else as installation type
  • Now select the free space on your nvme0n1 between the BitLocker partition p3 and the recovery partition p4
  • Create a new partition via plus sign
    • Set it to 512 MB
    • And Use as: EFI System partition (This might be not possible due to recent updates in installer, if so, dont worry, just create it as an unformatted partition since we dont need it yet, anyway. In step 2 we will make it EFI then)
  • Select the free space again and create another partition
    • Size 2048 MB
    • And as Ext4
    • And as Mount point /boot
  • And a third partition
    • Set size to 12000 MB
      • We will delete this partition later, so we want to keep it as small as possible
    • And as Ext4
    • And the Mount point as /
  • And now select the device for bootloader installation as
    • /dev/nvme0n1
      • Mind: even if you select our new EFI partition /dev/nvme0n1p5, Ubuntu will still install the bootloader to /dev/nvme0n1p1. This is a limitation of the Ubuntu installer, it will always choose first EFI on a disk, doesn't matter what. Because of this, we did the backup of the Windows bootloader partition to copy it back later and swap both EFIs :)
  • Install Now
• Location and username etc, then wait for installation to finish
• When the installation is done, don't press reboot
  • just press the cross at top right to close the window
  • This will boot the life usb stick again and you can proceed with the adjustments below
  • For this open a root terminal again
• If you dont have a new EFI partition yet (due to installer not letting you create an EFI), do this:
  • In terminal execute gparted to open the gparted program
  • Select the correct disk
  • There you should see your partitions. Select the unformated partition which should be the new EFI partition.
  • Right click on it and format as fat32
  • Apply this change via the green check mark
  • Now, right click again and name the partition something like (doesnt matter): EFI Ubuntu
  • Right click again, and select manage flags. Here you select boot and esp. Hint: as stated in this answer here, you might be better of not setting any flags, since Ubuntu doesnt need those flags to boot and Windows cannot get confused by another EFI partition. However, I have the flags set and it works fine like this for me.
  • Apply the changes again via green checkmark.
  • Now you have a new EFI partition
• Copy the content from our EFI to the newly created EFI
  • mount /dev/nvme0n1p1 /mnt/efi
  • mkdir /mnt/new-efi && mount /dev/nvme0n1p5 /mnt/new-efi
  • rsync -aSv /mnt/efi/ /mnt/new-efi/
    • (with trailing slashes)
• And then copy back the original Windows boot manager content to our old efi
  • mount /dev/sda4 /mnt/persistent
  • rm -rf /mnt/efi/*
  • rsync -avS /mnt/persistent/efi-backup/ /mnt/efi/
    • (with trailing slashes)
• Umount
  • umount /mnt/efi && umount /mnt/new-efi
• Ok Windows is unchanged again, and we can proceed with further steps for our Ubuntu installation

2. Change it to an encrypted installation

Disks setup

• Now we will create our new encrypted partition that we will use
  • This is exactly as it would be like, when choosing the default Ubuntu full encrypted disk mode in the installer, but with the nice addition that we can keep our Windows installation working
• Execute in terminal gparted to open the program
  • First we will move the new ubuntu root partition (nvme0n1p7) to the right such that it aligns with the microsoft reserved partition which is the rightmost. For this right click the new ubuntu root partition and select resize/move. Then you can drag and drop it to the right. The warning can be ignored. Apply the changes via green checkmark at top.
    • This is usefull since later we want to aquire this space again
  • create a new partition in the big free space before the p7, after the new EFI and boot, and set its File Sytem as cleared
  • confirm and close again gparted
• Now we continue with setting up a new encrypted partition
  • We will

cryptsetup luksFormat /dev/nvme0n1p8
cryptsetup open /dev/nvme0n1p8 nvme0n1p8_crypt
pvcreate /dev/mapper/nvme0n1p8_crypt
vgcreate vgubuntu /dev/mapper/nvme0n1p8_crypt
vgs -a # Check the available size and decide how big your partitions hould be
lvcreate --name swap_1 -L 32G vgubuntu
lvcreate --name root -L 650g vgubuntu
# You can also create a home partition etc...
Format those
mkfs.ext4 /dev/vgubuntu/root
mkswap /dev/vgubuntu/swap_1

• We continue with transferring the fresh Ubuntu installation to our new partition

mkdir /mnt/root-orig
mkdir /mnt/root-new
mount /dev/nvme0n1p7 /mnt/root-orig/
mount /dev/vgubuntu/root /mnt/root-new/
rsync -avShPAXHx --numeric-ids /mnt/root-orig/ /mnt/root-new/

• Now lets free up the space of our previous unencrypted partition

umount /mnt/root-orig /mnt/root-new/
vgchange -an vgubuntu

• Now open gparted again and remove the parition p7 which contains the unencrypted one
  • And resize the p8 to take in the free space of p7 if you want to
• And lets apply those changes to the undelying luks and lvm systems

cryptsetup resize nvme0n1p8_crypt
pvresize /dev/mapper/nvme0n1p8_crypt
vgchange -ay vgubuntu

Chroot to configure new installation

• We will continue with chrooting into our new installation to configure the changes that we made

mount /dev/vgubuntu/root /mnt/root-new/
mount /dev/nvme0n1p6 /mnt/root-new/boot/
mount /dev/nvme0n1p5 /mnt/root-new/boot/efi/
mount --bind /dev /mnt/root-new/dev
mount --bind /proc /mnt/root-new/proc/
mount --bind /sys /mnt/root-new/sys/
mount --bind /run /mnt/root-new/run
chroot /mnt/root-new/ /bin/bash

• We will register our luks parition and make sure that it can decrypt at boot

apt update
apt install lvm2 cryptsetup
blkid /dev/nvme0n1p8
Copy the UUID
nano /etc/crypttab

• And now put in a new entry with your copied UUID

nvme0n1p8_crypt UUID=UUID none luks,discard

• We also have to adjust fstab
  • put in your / mount
  • Adjust the /boot/efi partition since we changed this too
  • And the swap mount

blkid /dev/nvme0n1p5 # Get UUID of EFI
nano /etc/fstab

• Example:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/... during installation
/dev/mapper/vgubuntu-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p6 during installation
UUID=fd1eecf5-18b0-42fb-a3d4-5239c1465fc1 /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p5 during installation
UUID=EF18-AD8F  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/vgubuntu-swap_1 none    swap    sw  0   0

• Now apply update

update-initramfs -u -k all

• And lets also update grub
  • We will also make it detect Windows

nano /etc/default/grub

• And add

GRUB_DISABLE_OS_PROBER=false

• Now update

update-grub

• And lets exit the chroot

exit
umount /mnt/root-new/dev/
umount /mnt/root-new/proc/
umount /mnt/root-new/sys
umount /mnt/root-new/run
umount /mnt/root-new/boot/efi
umount /mnt/root-new/boot
umount /mnt/root-new

UEFI boot order

• As a last step we will check the boot order and create a new entry for our new EFI partition

# Check all entries
efibootmgr -v
# Locate the old Ubuntu entry, which was created for wrong EFI partiiton and delete it
efibootmgr -b 0001 -B
# Create new one for correct partition, here nvme0n1p5
efibootmgr --create --disk /dev/nvme0n1 --part 5 --label "Ubuntu" --loader /EFI/ubuntu/shimx64.efi
# Check if all fine
efibootmgr -v

Done

• Now you can reboot
  • You might have to enter your secure boot password if you installed proprietary drivers via Ubuntu installation
• When booting Windows the first time, you might need to enter the recovery key again since we changed some UEFI entries
  • After that the key will be stored in TPM again and you can use it as normal

Troubleshooting

If you have problems with the grub boot manager at some point, you can always go back into a life USB stick, mount desired boot and efi partitions, and follow the steps to go into chroot. From there you can always fix boot and efi partitions and reinstall grub etc.

grub-install --target=x86_64-efi --efi-directory=/mnt/boot/efi --bootloader-id=ubuntu
grub-mkconfig
for boot partition
update-initramfs -u -k all

Answer 2

One addition to the excellent answer of @fbpolar: to prevent Windows 11 messing up with UEFI after booting, you need to remove boot flag from Ubuntu EFI partition (/dev/nvme0n1p5 in the guide) using gparted.

Otherwise (as I got in my case) Win 11 restores booting from its own EFI and you need to get into BIOS each time to boot Ubuntu. The solution is by some anonymous Reddit guy:

So I found out if you open Gparted and remove the boot/efi flags from the EFI partition on your Linux system, Windows won't recognize it as an EFI partition and won't mess with it. Because Linux doesn't care about those flags, you can just leave them off.

Answer 3

In my case my laptop had two NVME drives: the drive that came with the laptop already had Windows 11 home installed, and I wanted to install Ubuntu on a second aftermarket drive I installed.

The following steps worked for me (please read the notes below as well):

1. Turn off Device Encryption in Windows 11. (You will turn it back on after installing Ubuntu on the second drive.)

   1. Navigate to Settings app -> Privacy & Security -> Device Encryption.

   2. In the Device Encryption section click Turn Off.

   3. A confirmation prompt will appear. Click Turn Off again.

   4. Wait for the decryption process to complete. This might take some time depending on the size of your drive.

2. Install Ubuntu using the installation wizard, and at the Disk setup step, choose Erase disk and install Ubuntu with the advanced option LVM and encryption selected.

3. In a following step, you will choose the empty drive (e.g., /dev/nvme0n1) to install Ubuntu on.

4. After the installation completes, go back into Windows and turn Device Encryption back on.

Notes:

• Be careful to choose the empty disk to install Ubuntu on, otherwise you could risk deleting your existing Windows installation, and as always backups are a good idea
• In my case, the Device encryption settings disappeared from Windows 11 after booting into Windows through Grub for the first time. To fix this I changed the boot menu from the BIOS to go directly into the Windows installation. Then after booting into Windows without going through Grub, the Device Encryption settings were visible again. If this is not an option in your BIOS, you might try physically removing the Ubuntu disk temporarily.
• After turning on device encryption, I had to enter a newly generated encryption key before Windows would boot, so make sure you can access your keys from your Windows account

References:

• https://www.mikekasberg.com/blog/2024/05/20/dual-boot-ubuntu-24-04-and-windows-with-encryption.html
• https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df
• https://answers.microsoft.com/en-us/windows/forum/all/device-encryption-setting-in-windows-11-home-has/43fc2f3b-8c75-4c12-ae01-741433f5fb0f