dotfiles/setup/ubuntu-install.md
DuckDuckWhale 2df4e7a091
Misc: SSH, Vim, Helix, Ubuntu, setup, shells, ...
- SSH config: disable password and send COLORTERM
- Vim: use <space>u instead of <space>w
- Helix:
	- Update for bug fixes after 23.10
	- Install bash completions, desktop file, and icon
	- Fix bufferline and inlay hints color
	- Reenable auto pairs since smart tabs is a thing now
- Ubuntu:
	- Update to 23.10
	- Change naming convention
	- Add podman and qemu-user-static
- Setup:
	- Update install and swap config
	- Add fish, Pods, Steam
	- Fix CJK font config path
	- Remove Firefox Wayland override now that it's the default
- Shells: configure fish
- Manual:
	- Configure starship
	- Use cargo locked install
	- Remove sparse protocol config now that it's the default
	- Fix failure when fish config directory is not found
- tmux: fix truecolor support for Alacritty
2024-01-19 16:21:22 -08:00

8.1 KiB

Ubuntu Installation

Installation steps with encryption

By following these steps, you will be able to install Ubuntu with a separate /, /home, and /boot, with everything encrypted except /boot. A disk password will be required upon boot and a separate user password will be required.

  • Booting Ubuntu 23.10 live image with Try Ubuntu option.
  • Verify that we are using UEFI: $ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
  • Give 1 GiB (or 500 MiB if you are short on space) for /boot using GParted and make a partition for / as well, at least around 25 GB.
  • $ sudo cryptsetup luksFormat --type luks2 --key-size 512 --hash sha512 --use-random /dev/<root partition>
    • Defaults, spell it out if you want to be extra certain: --cipher aes-xts-plain64 --iter-time 2000 --verify-passphrase
  • $ sudo cryptsetup open /dev/<root partition> <device name>
  • No need to overwrite data since it is originally BitLocker encrypted and would cause loss of performance and lifespan of the SSD.
  • $ sudo pvcreate /dev/mapper/<machine name>
  • $ sudo vgcreate vgroot /dev/mapper/<machine name>
  • $ sudo lvcreate -n home -L 10G <machine name> (G refers to GiB according to the man page)
    • Remember to monitor disk usage and when prompted, live extend the LVs!
  • $ sudo lvcreate -n root -L 15G <machine name>
  • Start the Ubuntu installation from the shortcut icon on Desktop.
  • Choose extra software and set a password.
  • Choose Something else.
  • Format /dev/<boot partition> as ext4 and mount to /boot.
  • Format /dev/mapper/<machine name>-root as ext4 and mount to /.
  • Format /dev/mapper/<machine name>-home as ext4 and mount to /home.
  • Get a swap partition the size of your RAM too.
  • Choose the main disk (e.g. /dev/sda or /dev/nvme0n1) as the Device for boot loader installation.
  • Name the partitions if you are feeling fancy.
  • Once the installation is complete, click Continue Testing to make necessary changes to load the encrypted partitions at startup.
  • Make note of the UUID: $ blkid /dev/<pv-partition>
  • Mount the installed Ubuntu OS on /mnt and use chroot to change the root directory to /mnt.
    $ sudo mount /dev/mapper/root-root /mnt
    $ sudo mount /dev/<boot partition> /mnt/boot
    $ sudo mount --bind /dev /mnt/dev
    $ sudo chroot /mnt
    # mount -t proc proc /proc
    # mount -t sysfs sys /sys
    # mount -t devpts devpts /dev/pts
    
    • In the chroot: # vi /etc/crypttab
    • Add the following lines to it (replacing <UUID_PVROOT> from the value obtained from blkid command earlier):
      # <target name> <source device> <key file> <options>
      <machine name> UUID=<UUID_PVROOT> none luks,discard
      
      • This guide assumes you have an SSD so we have discard.
    • Update the Linux kernel to load encrypted partitions at startup: # update-initramfs -k all -c
    • Exit the chroot shell.
  • Reboot.
  • Select Enroll MOK at the blue screen MOK manager. Be quick! After a minute or so it would reboot and you only get one chance.
    • Select continue and yes.

Dual Boot

Here are my personal notes back when I first dual booted Ubuntu, with some updates sprinkled in. Use with caution and backup everything on another detached disk before proceeding. Although it is very unlikely for things to go wrong when this guide is properly followed, I will not be responsible for any data loss.

This guide was first written for Ubuntu 18.04 LTS so some claims may no longer be true (please let me know if it is false). Doing this guide we'll dual boot Ubuntu and Windows 10 with setup for encryption of root and home mounts.

Questions before we begin

You need to think about these things before you do anything. I have attached my personal answers below but it might be different for you.

  • How much space to allocate for Ubuntu?
    • ~25 GiB, the recommended minimum is 25 GB and my personal usage has never exceeded 40GiB for the root drive.
    • If you don't have enough space, you may forgo a separate /home to gain flexibility as root space could shrink or grow and it's hard to guess the sizes upfront. Plus, if your data is on the Windows BitLocker drive, you could always make a separate drive to keep your data 2 years later when the next Ubuntu LTS comes out or just restore from backup. Or, you could make use of LVM...
      • After daily driving Ubuntu I switched to separate / and /home on top of LVM and keeping at least 5GiB of free space for each LV. When I need more space, I always live resize by sudo lvextend -rL +5G vgroot/lvhome so I don't have to guess the total size.
  • Where should Ubuntu root partition be?
    • Right before /boot before D:. Since moving the starting location of a BitLocker protected drive needs full data move using an external hard drive and is lots of hassle, we can consider the beginning of D: to be fixed. putting /boot right before D: makes its location unlikely to be affected by moving partitions around so we don't have to deal with any potential /boot hassles which may require reinstallation of GRUB.
    • After using it for a while, I've decided to put it at the end of the disk instead.
    • Leaving free space between Ubuntu's root and the Windows drive makes both OSs easy to resize because it is not hard to change the starting location of root (GParted can do the job itself) and instead of requiring a full move in case of expansion of Windows, which is probably more likely, we require nothing.
  • Should you encrypt this partition?
    • Yes. There may be sensitive data in /home/$user/.ssh/, /tmp/, /var/log/, etc. and plus you may want to put the BitLocker key in there as well for Dislocker and keep them safe in case of losing the laptop.
  • Should I encrypt /boot or just /?
    • Just /. Encrypting /boot provides only somewhat protection against the kind of Evil Maid where someone changes the kernel and include a keylogger. This require physical access, and if they have that they can do more, either:
      1. Install another Ubuntu and connect to the Internet to upload password
      2. Install a hardware key logger
      3. Swap it out for a same-looking machine
    • My goal was to only protect against theft and loss, not to protect against these advanced threats. To do this, you need to either:
      • Encrypt /boot, which prevents only the swap of a kernel but not any of the three points above and is hard to implement.
      • Password protect BIOS, which makes it very risky when I forget the BIOS password and protects only against the kernel swap and threat #1. I consider it not worthy for it adds significant risk only to protect against the first threat, which is unlikely as I would have to be specifically targeted by very technical people (they probably could also disable the password protection or install the keylogger too but I haven't researched much about this).
      • IDK what more could be done.
    • Bottom line: never trust the device once it's been tempered with.
  • How should I encrypt? LUKS?
    • LUKS, I don't want my directory structure to be seen and I want to just use ext4.
  • LVM on LUKS or LUKS on LVM?
    • LVM on LUKS, the usual setup with less hassle and I don't need multi-disk LUKS anyways as this is a single-disk laptop.
  • Will dual booting mess up the Windows boot loader?
    • Should not, since removing GRUB requires only the removal of its entries from the EFI partition.
  • How to avoid too many password prompts?
    • Should have only one prompt at boot when the kernel asks for the password to decrypt the file systems, and another for normal logins.
  • How to dual boot and install with encryption?
  • With these questions answered, we can perform the installation.

Post Install

  • Adjust the boot sequence in UEFI if you want to boot Windows first.
  • $ timedatectl set-local-rtc 1 --adjust-system-clock to prevent different system clock time when dual booting.
  • Install and configure Dislocker to access Windows BitLocker drives.