# Ubuntu Installation ## Installation steps with encryption By following these steps, you will be able to install Ubuntu with a separate `/`, `/home`, and `/boot`, with everything encrypted except `/boot`. A disk password will be required upon boot and a separate user password will be required. - Booting Ubuntu 23.04 live image with `Try Ubuntu` option. - Verify that we are using UEFI: `$ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS` - Give 1 GiB (or 500 MiB if you are short on space) for `/boot` using GParted and make a partition for `/` as well, at least around 25 GB. - `$ sudo cryptsetup luksFormat --type luks2 --key-size 512 --hash sha512 --use-random /dev/` - Defaults, spell it out if you want to be extra certain: `--cipher aes-xts-plain64 --iter-time 2000 --verify-passphrase` - `$ sudo cryptsetup open /dev/ pvroot` - No need to overwrite data since it is originally BitLocker encrypted and would cause loss of performance and lifespan of the SSD. - `$ sudo pvcreate /dev/mapper/pvroot` - `$ sudo vgcreate vgroot /dev/mapper/pvroot` - `$ sudo lvcreate -n lvhome -L 10G vgroot` (`G` refers to GiB according to the man page) - Remember to monitor disk usage and when prompted, live extend the LVs! - `$ sudo lvcreate -n lvroot -L 15G vgroot` - Start the Ubuntu installation from the shortcut icon on Desktop. - Choose extra software and set a password. - Choose `Something else`. - Format `/dev/` as ext4 and mount to `/boot`. - Format `/dev/mapper/vgroot-lvroot` as ext4 and mount to `/`. - Format `/dev/mapper/vgroot-lvhome` as ext4 and mount to `/home`. - Choose the main disk (e.g. `/dev/sda` or `/dev/nvme0n1p2`) as the `Device for boot loader installation`. - Name the partitions if you are feeling fancy. - Once the installation is complete, click `Continue Testing` to make necessary changes to load the encrypted partitions at startup. - Make note of the UUID: `$ blkid /dev/` - Mount the installed Ubuntu OS on `/mnt` and use `chroot` to change the root directory to `/mnt`. ``` $ sudo mount /dev/mapper/vgroot-lvroot /mnt $ sudo mount /dev/ /mnt/boot $ sudo mount --bind /dev /mnt/dev $ sudo chroot /mnt # mount -t proc proc /proc # mount -t sysfs sys /sys # mount -t devpts devpts /dev/pts ``` - In the chroot: `# vi /etc/crypttab` - Add the following lines to it (replacing `` from the value obtained from `blkid` command earlier): ``` # pvroot UUID= none luks,discard ``` - This guide assumes you have an SSD so we have `discard`. - Update the Linux kernel to load encrypted partitions at startup: `# update-initramfs -k all -c` - Exit the chroot shell. - Reboot. - Select Enroll MOK at the blue screen MOK manager. Be quick! After a minute or so it would reboot and you only get one chance. - Select continue and yes. ## Dual Boot Here are my personal notes back when I first dual booted Ubuntu, with some updates sprinkled in. Use with caution and **backup everything on another detached disk** before proceeding. Although it is very unlikely for things to go wrong when this guide is properly followed, I will not be responsible for any data loss. This guide was first written for Ubuntu 18.04 LTS so some claims may no longer be true (please let me know if it is false). Doing this guide we'll dual boot Ubuntu and Windows 10 with setup for encryption of root and home mounts. ### Questions before we begin You need to think about these things before you do anything. I have attached my personal answers below but it might be different for you. - How much space to allocate for Ubuntu? - ~25 GiB, the recommended minimum is 25 GB and my personal usage has never exceeded 40GiB for the root drive. - If you don't have enough space, you may forgo a separate `/home` to gain flexibility as root space could shrink or grow and it's hard to guess the sizes upfront. Plus, if your data is on the Windows BitLocker drive, you could always make a separate drive to keep your data 2 years later when the next Ubuntu LTS comes out or just restore from backup. Or, you could make use of LVM... - After daily driving Ubuntu I switched to separate `/` and `/home` on top of LVM and keeping at least 5GiB of free space for each LV. When I need more space, I always live resize by `sudo lvextend -rL +5G vgroot/lvhome` so I don't have to guess the total size. - Where should Ubuntu root partition be? - Right before `/boot` before `D:`. Since moving the starting location of a BitLocker protected drive needs full data move using an external hard drive and is lots of hassle, we can consider the beginning of `D:` to be fixed. putting `/boot` right before `D:` makes its location unlikely to be affected by moving partitions around so we don't have to deal with any potential `/boot` hassles which may require reinstallation of GRUB. - After using it for a while, I've decided to put it at the end of the disk instead. - Leaving free space between Ubuntu's root and the Windows drive makes both OSs easy to resize because it is not hard to change the starting location of root (GParted can do the job itself) and instead of requiring a full move in case of expansion of Windows, which is probably more likely, we require nothing. - Should you encrypt this partition? - Yes. There may be sensitive data in `/home/$user/.ssh/`, `/tmp/`, `/var/log/`, etc. and plus you may want to put the BitLocker key in there as well for Dislocker and keep them safe in case of losing the laptop. - Should I encrypt `/boot` or just `/?` - Just `/`. Encrypting `/boot` provides only somewhat protection against the kind of Evil Maid where someone changes the kernel and include a keylogger. This require physical access, and if they have that they can do more, either: 1. Install another Ubuntu and connect to the Internet to upload password 2. Install a hardware key logger 3. Swap it out for a same-looking machine - My goal was to only protect against theft and loss, not to protect against these advanced threats. To do this, you need to either: - Encrypt `/boot`, which prevents only the swap of a kernel but not any of the three points above and is hard to implement. - Password protect BIOS, which makes it very risky when I forget the BIOS password and protects only against the kernel swap and threat #1. I consider it not worthy for it adds significant risk only to protect against the first threat, which is unlikely as I would have to be specifically targeted by very technical people (they probably could also disable the password protection or install the keylogger too but I haven't researched much about this). - IDK what more could be done. - Bottom line: never trust the device once it's been tempered with. - How should I encrypt? LUKS? - LUKS, I don't want my directory structure to be seen and I want to just use ext4. - LVM on LUKS or LUKS on LVM? - LVM on LUKS, the usual setup with less hassle and I don't need multi-disk LUKS anyways as this is a single-disk laptop. - Will dual booting mess up the Windows boot loader? - Should not, since removing GRUB requires only the removal of its entries from the EFI partition. - How to avoid too many password prompts? - Should have only one prompt at boot when the kernel asks for the password to decrypt the file systems, and another for normal logins. - How to dual boot and install with encryption? - Here is the original guide which I based this one on: [Encrypting disks on Ubuntu 19.04](https://medium.com/@chrishantha/encrypting-disks-on-ubuntu-19-04-b50bfc65182a) - With these questions answered, we can perform the installation. ### Post Install - Adjust the boot sequence in UEFI if you want to boot Windows first. - `$ timedatectl set-local-rtc 1 --adjust-system-clock` to prevent different system clock time when dual booting. - Install and configure Dislocker to access Windows BitLocker drives.