dotfiles/setup/dual-boot-ubuntu.md

153 lines
7.7 KiB
Markdown
Raw Normal View History

# Dual Boot Ubuntu
Here are my personal notes back when I first dual booted Ubuntu, with some
updates sprinkled in. Use with caution and **backup everything on another
detached disk** before proceeding. Although it is very unlikely for things to
go wrong when this guide is properly followed, I will not be responsible for any
data loss.
This guide was first written for Ubuntu 18.04 LTS so some claims may no longer
be true (please let me know if it is false). Doing this guide we'll dual boot
Ubuntu and Windows 10 with setup for encryption of root and home mounts.
## Questions before we begin
You need to think about these things before you do anything. I have attached my
personal answers below but it might be different for you.
- How much space to allocate for Ubuntu?
- ~25 GiB, the recommended minimum is 25 GB and my personal usage has never
exceeded 40GiB for the root drive.
- If you don't have enough space, you may forgo a separate `/home` to gain
flexibility as root space could shrink or grow and it's hard to guess the
sizes upfront. Plus, if your data is on the Windows BitLocker drive, you
could always make a separate drive to keep your data 2 years later when
the next Ubuntu LTS comes out or just restore from backup. Or, you could
make use of LVM...
- After daily driving Ubuntu I switched to separate `/` and `/home` on
top of LVM and keeping at least 5GiB of free space for each LV. When
I need more space, I always live resize by `sudo lvextend -rL +5G
vgroot/lvhome` so I don't have to guess the total size.
- Where should Ubuntu root partition be?
- Right before `/boot` before `D:`. Since moving the starting location of a
BitLocker protected drive needs full data move using an external hard
drive and is lots of hassle, we can consider the beginning of `D:` to be
fixed. putting `/boot` right before `D:` makes its location unlikely to
be affected by moving partitions around so we don't have to deal with any
potential `/boot` hassles which may require reinstallation of GRUB.
- After using it for a while, I've decided to put it at the end of the disk
instead.
- Leaving free space between Ubuntu's root and the Windows drive makes both
OSs easy to resize because it is not hard to change the starting location
of root (GParted can do the job itself) and instead of requiring a full
move in case of expansion of Windows, which is probably more likely, we
require nothing.
- Should you encrypt this partition?
- Yes. There may be sensitive data in `/home/$user/.ssh/`, `/tmp/`,
`/var/log/`, etc. and plus you may want to put the BitLocker key in there
as well for Dislocker and keep them safe in case of losing the laptop.
- Should I encrypt `/boot` or just `/?`
- Just `/`. Encrypting `/boot` provides only somewhat protection against
the kind of Evil Maid where someone changes the kernel and include a
keylogger. This require physical access, and if they have that they can
do more, either:
1. Install another Ubuntu and connect to the Internet to upload password
2. Install a hardware key logger
3. Swap it out for a same-looking machine
- My goal was to only protect against theft and loss, not to protect against
these advanced threats. To do this, you need to either:
- Encrypt `/boot`, which prevents only the swap of a kernel but not any
of the three points above and is hard to implement.
- Password protect BIOS, which makes it very risky when I forget the
BIOS password and protects only against the kernel swap and threat #1.
I consider it not worthy for it adds significant risk only to protect
against the first threat, which is unlikely as I would have to be
specifically targeted by very technical people (they probably could
also disable the password protection or install the keylogger too but
I haven't researched much about this).
- IDK what more could be done.
- Bottom line: never trust the device once it's been tempered with.
- How should I encrypt? LUKS?
- LUKS, I don't want my directory structure to be seen and I want to just
use ext4.
- LVM on LUKS or LUKS on LVM?
- LVM on LUKS, the usual setup with less hassle and I don't need multi-disk
LUKS anyways as this is a single-disk laptop.
- Will dual booting mess up the Windows boot loader?
- Should not, since removing GRUB requires only the removal of its entries
from the EFI partition.
- How to avoid too many password prompts?
- Should have only one prompt at boot when the kernel asks for the password
to decrypt the file systems, and another for normal logins.
- How to dual boot and install with encryption?
- Here is the original guide which I based this one on: [Encrypting disks on
Ubuntu
19.04](https://medium.com/@chrishantha/encrypting-disks-on-ubuntu-19-04-b50bfc65182a)
- With these questions answered, we can perform the installation.
## Installation
- Booting Ubuntu 22.10 live image with `Try Ubuntu` option.
- Verify that we are using UEFI: `$ [ -d /sys/firmware/efi ] && echo UEFI ||
echo BIOS`
- Give 1 GiB (or 500 MiB if you are short on space) for `/boot` using GParted and make a partition
for `/` as well, at least around 25 GB.
- `$ sudo cryptsetup luksFormat --type luks2 --key-size 512 --hash sha512
--use-random /dev/<root partition>`
- Defaults, spell it out if you want to be extra certain:
`--cipher aes-xts-plain64 --iter-time 2000 --verify-passphrase`
- `$ sudo cryptsetup open /dev/<root partition> pvroot`
- No need to overwrite data since it is originally BitLocker encrypted and would
cause loss of performance and lifespan of the SSD.
- `$ sudo pvcreate /dev/mapper/pvroot`
- `$ sudo vgcreate vgroot /dev/mapper/pvroot`
- `$ sudo lvcreate -n lvhome -L 10G vgroot` (`G` refers to GiB according to the
man page)
- Remember to monitor disk usage and when prompted, live extend the LVs!
- `$ sudo lvcreate -n lvroot -L 15G vgroot`
- Start the Ubuntu installation from the shortcut icon on Desktop.
- Choose extra software and set a password.
- Choose `Something else`.
- Format `/dev/<boot partition>` as ext4 and mount to `/boot`.
- Format `/dev/mapper/vgroot-lvroot` as ext4 and mount to `/`.
- Format `/dev/mapper/vgroot-lvhome` as ext4 and mount to `/home`.
- Choose the main disk (e.g. `/dev/sda` or `/dev/nvme0n1p2`) as the `Device for boot loader
installation`.
- Name the parititions if you are feeling fancy.
- Once the installation is complete, click `Continue Testing` to make necessary
changes to load the encrypted partitions at startup.
- Make note of the UUID: `$ blkid /dev/<root partition>`
- Mount the installed Ubuntu OS on `/mnt` and use `chroot` to change the root
directory to `/mnt`.
```
$ sudo mount /dev/mapper/vgroot-lvroot /mnt
$ sudo mount /dev/<boot partition> /mnt/boot
$ sudo mount --bind /dev /mnt/dev
$ sudo chroot /mnt
# mount -t proc proc /proc
# mount -t sysfs sys /sys
# mount -t devpts devpts /dev/pts
```
- In the chroot: `# vi /etc/crypttab`
- Add the following lines to it (replacing `<UUID_PVROOT>` from the value
obtained from `blkid` command earlier):
```
# <target name> <source device> <key file> <options>
pvroot UUID=<UUID_PVROOT> none luks,discard
```
- This guide assumes you have an SSD so we have `discard`.
- Update the Linux kernel to load encrypted partitions at startup: `#
update-initramfs -k all -c`
- Exit the chroot shell.
- Reboot.
- Select Enroll MOK at the blue screen MOK manager. Be quick! After a minute
or so it would reboot and you only get one chance.
- Select continue and yes.
## Post Install
- Adjust the boot sequence in UEFI if you want to boot Windows first.
- `$ timedatectl set-local-rtc 1 --adjust-system-clock` to prevent different
system clock time when dual booting.
- Install and configure Dislocker to access Windows BitLocker drives.