I will call the current system original and the new, encrypted one new.
Prepare
Create a USB-stick Ubuntu installer (I use Ventoy)
Install timeshift on original system
sudo apt update && apt install timeshiftNow plug in an USB drive with enough capacity
Configure timeshift
Launch timeshift-gtk, configure it for rlogin (default), select your usb drive and make sure you tick your user’s and root’s directory to Include all files (that part of the window might be hidden so expand it to the right to see it completely).
Then create a new snapshot (click on Create).
Reboot and install new system
Install timeshift on new system
launch timeshift and restore. Usually, partitions are as follow :
- nvme0n1p1 is vfat and maps to /boot/efi
- nbme0n1p2 is ext4 and maps to /boot
- nvme0n1p3 is the encrypted block device that contains /
Here the whole system you just installed will be overwritten by the timeshift snapshot. But since your disk was not encrypted before, we will have to tell the system to unlock it upon startup.
Fix startup
Decrypt the encrypted partition using GUI tools (I use KDE/Dolphin and click on the left on the « disk locked » icon. You can do the same manually with commands but I find it easier this way.
Open a terminal. Make sure the correct language is selected.
sudo -i (to become root – since you’re still on the live system, password is usually blank)
lsblk
and copy the luks-xxxxxx-xxxxx-xxxx that shows (with ctrl+shift+C)
dmsetup rename luks-xxxxxx-xxxxx-xxxx root_crypt
The root_crypt name is whatever you want but we will have to reuse it in /etc/crypttab so choose something that will let you identify that disk easily.
Now we mount the disks to /mnt (we will chroot there to setup grub and initramfs
mount /dev/mapper/root_crypt /mntmount /dev/nvme0n1p2 /mnt/bootmount /dev/nvme0n1p1 /mnt/boot/efi
Now we bind-mount various system dirs before chrooting:
for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt/$i; done
One last thing before chrooting, get the UUIDs of our disks (you can open another console to make copy/paste easier):
sudo lsblk
Take note of the UUIDs of /boot/efi (nvme0n1p1 in my case). Since it is vfat (I guess) the UUID is small, usually XXXX-YYYY. I will call it <UUID_EFI>
Take also note of the UUID of / (nvme0n1p3 for me). I will call it <UUID_ROOT>
Now switch to the installed system:
chroot /mnt
Edit /etc/crypttab with your editor (nano for example) and add a line:
root_crypt UUID=<UUID_ROOT> none luks,initramfs
Warning: you must add a newline at the end otherwise the line won’t be seen.
Edit /etc/fstab and modify the UUIDs. Warning: the mount points won’t probably be the same so make sure to look at the mount point when adding the UUIDs. If some lines are not used anymore, comment them out by placing a # as the first character of the line.
For / don’t use an UUID but /dev/mapper/root_crypt like so:
/dev/mapper/root_crypt / ext4 defaults 0 1
Now install grub:
grub-install /dev/nvme0n1update-grub
And update your initramfs:
update-initramfs -k all -c
Reboot and enjoy.