Ubuntu 24.04 LTS Dual Boot Setup — Secure Deploy Laptop (Windows + Ubuntu)

The Secure Deploy Laptop

Dual boot Windows + Ubuntu • LUKS encryption • Production secrets stay here

This guide sets up a secure, minimal "deploy machine" that dual-boots Windows and Ubuntu. The laptop's role is simple:

Keep Windows installed (rarely used on this machine)
Use Ubuntu to pull releases from GitLab, package, and deploy
Keep production secrets only on this laptop in ~/secrets/site1/.env.production
Install as little extra software as possible

Why Dual Boot (Not Windows/WSL)

Windows file locking can cause Node/Nuxt build issues (e.g. EBUSY ). A native Ubuntu build environment matches production and avoids those filesystem edge cases.

Build Environment Comparison

Feature	Windows	WSL2	Ubuntu Dual Boot
EBUSY errors	Frequent	Occasional	Never
Postbuild runs	Often fails	Sometimes	Always
Build speed	Slow	Fast	Fastest
Production parity	Different	Close	Identical
File permissions	Issues	Limited	Perfect
Hardware access	Full	Limited	Full
Reboot required	No	No	Yes

What You Need

Laptop with Windows 10+
Internet connection
USB 8 GB+ (SanDisk Ultra Dual Drive Go 32 GB is perfect)
~100 GB unallocated space recommended for Ubuntu (50 GB minimum)
A backup of anything important on Windows

Part 1 — Prepare Windows

Avoid the common dual-boot pitfalls

1) Back Up

At minimum: Documents / Desktop / Downloads + anything you can't re-download.

2) Disable Fast Startup + Hibernation

Important: Fast Startup/hibernation can leave NTFS "half-closed" and increases dual-boot weirdness. You must disable this before installing Ubuntu alongside Windows.

Control Panel → Power Options → "Choose what the power buttons do"
Click "Change settings that are currently unavailable"
Uncheck Turn on fast startup
Save

Then run Admin PowerShell :

powercfg /h off

3) BitLocker: Fully Decrypt Before Installing

Critical: Even if manage-bde -status shows Protection Off , Ubuntu can still detect BitLocker if the volume is still encrypted (e.g. "Used Space Only Encrypted", non-zero %). You must fully decrypt .

Check BitLocker status

Open Admin PowerShell :

manage-bde -status C:

Safe to proceed only when you see both :

Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%

If it's not fully decrypted

Turn it off (decrypt) and wait:

manage-bde -off C:
manage-bde -status C:

If it says Decryption in Progress , let it finish. Then reboot Windows once before booting the Ubuntu USB again.

Tip: Save your BitLocker recovery key somewhere safe anyway, because Windows sometimes re-enables BitLocker later after firmware/boot changes.

4) Shrink C: to Create Ubuntu Space

Important: Leave the space as Unallocated . Do not create a new Windows volume there.

Win+X → Disk Management ( diskmgmt.msc )
Right-click C: → Shrink Volume…
Shrink by 102400 MB (≈ 100 GB) — or more.
After shrinking you must see Unallocated space (black bar).

Part 2 — Create the Ubuntu USB

Don't just copy the ISO — it won't boot

1) Download Ubuntu ISO

Download Ubuntu 24.04.3 LTS Desktop (Check which version is recommended for your laptop) .

2) Use Rufus to Write the ISO

Pitfall: Copying the ISO file to a USB drive is not enough . You must "write" it as a bootable image using a tool like Rufus .

Run Rufus
Device: select your USB
Boot selection: select ubuntu-24.04.3-desktop-amd64.iso
Use these settings:
- Partition scheme: GPT
- Target system: UEFI (non-CSM)
- File system: leave Rufus default (FAT32 is fine)
Click START
If asked: choose ISO Image mode (recommended)

When finished, safely eject and keep it inserted for reboot.

Part 3 — Boot the USB

Know if you're running "live"

Reboot → press F12 at Lenovo logo → choose the USB drive.

You'll boot into a live Ubuntu session first. That means:

You are running from the USB
Nothing is installed yet
You can exit anytime

How to exit/reboot from the live session: Top-right system menu → Power icon → Restart / Power Off .

If you want to boot back to Windows, remove the USB before reboot.

Part 4 — Install Ubuntu

Dual boot + encryption, safely

1) Start Installer

On the live desktop, double-click Install Ubuntu 24.04.3 LTS .

2) Third-Party Drivers / Codecs

To avoid issues later, enable:

Install third-party software for graphics and Wi-Fi hardware
Download and install support for additional media formats (optional)

3) Disk Setup — The Most Important Screen

This is the critical step. Choose the wrong option and you could overwrite Windows.

Choose:

Install Ubuntu alongside Windows Boot Manager

If Ubuntu shows a BitLocker warning and blocks this option, that means Windows is still encrypted. Go back to Windows and fully decrypt C: (see Part 1, step 3).

Encryption (Important)

Ubuntu 24.04 can encrypt the Ubuntu install even in dual-boot , but the UI can be confusing:

Use Advanced features…
Choose Use LVM and encryption (this encrypts Ubuntu; Windows stays as-is)
Go back one step
Before pressing Next, confirm the radio button is still Install alongside Windows Boot Manager and Use LVM and encryption

4) Passphrase for Disk Encryption (LUKS)

You'll be asked for a passphrase to unlock the encrypted Ubuntu disk at boot.

OK to use the same as your Ubuntu login password, but better security is to use a different one
Use something long (4–5 random words is great), minimum 15 characters

Store it safely. If you lose the LUKS passphrase, the data is unrecoverable .

5) Ubuntu Account Screen

Require my password to log in — keep enabled
Use Active Directory — leave unchecked (not needed)

Username "Security"

A non-obvious username adds only tiny security value. The real protection is:

Encryption (LUKS)
Strong passwords
Firewall
Keeping services closed

Choose a username you won't hate typing.

6) Review Screen — Sanity Check Before Install

On "Review your choices", confirm:

Disk setup says: Install Ubuntu alongside Windows Boot Manager
Disk encryption says: LUKS (LVM) (or similar)
Installation disk is nvme0n1 or similar (your internal SSD)

If that looks right → Install .

Part 5 — First Reboot + Boot Menu

After installation:

Remove USB when prompted
Reboot
You should see a boot menu ( GRUB ) to select Ubuntu or Windows Boot Manager

LUKS prompt: If you enabled disk encryption, you'll be asked for your LUKS passphrase before the Ubuntu login screen appears. This is normal.

Part 6 — Post-Install Minimal Setup

For a deploy laptop — only install what you need

1) Update Packages

Open a terminal with Ctrl+Alt+T :

sudo apt update
sudo apt upgrade -y

2) Install Only What You Need

sudo apt install -y git rsync ca-certificates openssh-client

That's it. No Node, no Docker, no web server — this is a deploy machine , not a dev machine.

3) Create Secrets Folder (Tight Permissions)

mkdir -p ~/secrets/site1
chmod 700 ~/secrets ~/secrets/site1
nano ~/secrets/site1/.env.production
chmod 600 ~/secrets/site1/.env.production

Why this is safe: Because Ubuntu is encrypted (LUKS), this file is protected when the laptop is off. The chmod 700 / 600 permissions ensure only your user can access it while running.

4) (Optional) Ubuntu Pro

For a minimal deploy laptop: skip for now . You can enable later if you want extended security coverage (10 years of security patches for universe packages).

Ubuntu Pro is free for personal use (up to 5 machines). Enable it anytime with:

sudo pro attach

Part 7 — Deploy Workflow

Recommended CI/CD flow

If you're doing development on another laptop, push releases to GitLab, and use this machine to pull + package. That's a good model for a "clean deploy box".

Typical Flow

Dev machine pushes tag/release to GitLab
GitLab CI builds and stores an artifact (or you pull source and build here if needed)
Deploy laptop pulls release and runs prepare-deploy.sh
Deploy laptop injects secrets from ~/secrets/site1/.env.production into the deploy folder (without committing secrets)

Flow Diagram

Dev Laptop          GitLab CI         Deploy Laptop        VPS
    |                   |                   |                |
    |-- git push tag -->|                   |                |
    |                   |-- build artifact->|                |
    |                   |                   |-- inject .env  |
    |                   |                   |-- rsync/scp -->|
    |                   |                   |                |-- restart PM2

Troubleshooting

"Turn off BitLocker to continue"

This means Ubuntu can't safely do "install alongside".

Fix:

Boot Windows
Run: manage-bde -off C:
Wait until Fully Decrypted + 0.0%
Reboot Windows once
Boot USB again and retry install

I'm seeing the Ubuntu desktop but nothing installed

That's the live USB session . You are running Ubuntu from the USB drive — nothing has been installed to your hard drive yet.

You still need to click Install Ubuntu on the desktop (or in the welcome dialog).

"Install alongside..." option disappeared / greyed out

Most often caused by:

BitLocker still enabled (even partially) — go back to Windows and verify manage-bde -status C: shows Fully Decrypted + 0.0%
No unallocated space — Windows created a new volume instead of leaving unallocated. Open Disk Management and delete the extra partition (be careful!) to return it to unallocated.

GRUB boot menu doesn't appear after install

Some laptops (especially Lenovo) may boot directly into Windows after install. Try:

Enter BIOS/UEFI (usually F2 at boot)
Look for Boot Order or Boot Priority
Move ubuntu above Windows Boot Manager
Save and exit

If "ubuntu" doesn't appear in the boot order, check if Secure Boot is enabled. Ubuntu supports Secure Boot, but some configurations may need it toggled.

Quick Checklist

Use this checklist to track your progress through the setup:

Backup done
Fast Startup OFF
powercfg /h off
manage-bde -status C: shows Fully Decrypted, 0.0%
~100 GB unallocated space created (e.g. 102400 MB shrink)
Rufus used to write ISO (not copy)
Installer set to Install alongside Windows Boot Manager
Ubuntu encryption enabled via Use LVM and encryption
~/secrets/site1/.env.production created with chmod 600