- An actual `README.md` - Reorganize dual boot guide & install and swap guides - Fix force install of Rust & Helix breaking when files already exist - A note about Firefox Wayland CPU bug - Remove deprecated `sshd_config` line
8.0 KiB
Ubuntu Installation
Installation steps with encryption
By following these steps, you will be able to install Ubuntu with a separate /
, /home
, and
/boot
, with everything encrypted except /boot
. A disk password will be required upon boot and a
separate user password will be required.
- Booting Ubuntu 23.04 live image with
Try Ubuntu
option. - Verify that we are using UEFI:
$ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
- Give 1 GiB (or 500 MiB if you are short on space) for
/boot
using GParted and make a partition for/
as well, at least around 25 GB. $ sudo cryptsetup luksFormat --type luks2 --key-size 512 --hash sha512 --use-random /dev/<root partition>
- Defaults, spell it out if you want to be extra certain:
--cipher aes-xts-plain64 --iter-time 2000 --verify-passphrase
- Defaults, spell it out if you want to be extra certain:
$ sudo cryptsetup open /dev/<root partition> pvroot
- No need to overwrite data since it is originally BitLocker encrypted and would cause loss of performance and lifespan of the SSD.
$ sudo pvcreate /dev/mapper/pvroot
$ sudo vgcreate vgroot /dev/mapper/pvroot
$ sudo lvcreate -n lvhome -L 10G vgroot
(G
refers to GiB according to the man page)- Remember to monitor disk usage and when prompted, live extend the LVs!
$ sudo lvcreate -n lvroot -L 15G vgroot
- Start the Ubuntu installation from the shortcut icon on Desktop.
- Choose extra software and set a password.
- Choose
Something else
. - Format
/dev/<boot partition>
as ext4 and mount to/boot
. - Format
/dev/mapper/vgroot-lvroot
as ext4 and mount to/
. - Format
/dev/mapper/vgroot-lvhome
as ext4 and mount to/home
. - Choose the main disk (e.g.
/dev/sda
or/dev/nvme0n1p2
) as theDevice for boot loader installation
. - Name the partitions if you are feeling fancy.
- Once the installation is complete, click
Continue Testing
to make necessary changes to load the encrypted partitions at startup. - Make note of the UUID:
$ blkid /dev/<pvroot-partition>
- Mount the installed Ubuntu OS on
/mnt
and usechroot
to change the root directory to/mnt
.$ sudo mount /dev/mapper/vgroot-lvroot /mnt $ sudo mount /dev/<boot partition> /mnt/boot $ sudo mount --bind /dev /mnt/dev $ sudo chroot /mnt # mount -t proc proc /proc # mount -t sysfs sys /sys # mount -t devpts devpts /dev/pts
- In the chroot:
# vi /etc/crypttab
- Add the following lines to it (replacing
<UUID_PVROOT>
from the value obtained fromblkid
command earlier):# <target name> <source device> <key file> <options> pvroot UUID=<UUID_PVROOT> none luks,discard
- This guide assumes you have an SSD so we have
discard
.
- This guide assumes you have an SSD so we have
- Update the Linux kernel to load encrypted partitions at startup:
# update-initramfs -k all -c
- Exit the chroot shell.
- In the chroot:
- Reboot.
- Select Enroll MOK at the blue screen MOK manager. Be quick! After a minute
or so it would reboot and you only get one chance.
- Select continue and yes.
Dual Boot
Here are my personal notes back when I first dual booted Ubuntu, with some updates sprinkled in. Use with caution and backup everything on another detached disk before proceeding. Although it is very unlikely for things to go wrong when this guide is properly followed, I will not be responsible for any data loss.
This guide was first written for Ubuntu 18.04 LTS so some claims may no longer be true (please let me know if it is false). Doing this guide we'll dual boot Ubuntu and Windows 10 with setup for encryption of root and home mounts.
Questions before we begin
You need to think about these things before you do anything. I have attached my personal answers below but it might be different for you.
- How much space to allocate for Ubuntu?
- ~25 GiB, the recommended minimum is 25 GB and my personal usage has never exceeded 40GiB for the root drive.
- If you don't have enough space, you may forgo a separate
/home
to gain flexibility as root space could shrink or grow and it's hard to guess the sizes upfront. Plus, if your data is on the Windows BitLocker drive, you could always make a separate drive to keep your data 2 years later when the next Ubuntu LTS comes out or just restore from backup. Or, you could make use of LVM...- After daily driving Ubuntu I switched to separate
/
and/home
on top of LVM and keeping at least 5GiB of free space for each LV. When I need more space, I always live resize bysudo lvextend -rL +5G vgroot/lvhome
so I don't have to guess the total size.
- After daily driving Ubuntu I switched to separate
- Where should Ubuntu root partition be?
- Right before
/boot
beforeD:
. Since moving the starting location of a BitLocker protected drive needs full data move using an external hard drive and is lots of hassle, we can consider the beginning ofD:
to be fixed. putting/boot
right beforeD:
makes its location unlikely to be affected by moving partitions around so we don't have to deal with any potential/boot
hassles which may require reinstallation of GRUB. - After using it for a while, I've decided to put it at the end of the disk instead.
- Leaving free space between Ubuntu's root and the Windows drive makes both OSs easy to resize because it is not hard to change the starting location of root (GParted can do the job itself) and instead of requiring a full move in case of expansion of Windows, which is probably more likely, we require nothing.
- Right before
- Should you encrypt this partition?
- Yes. There may be sensitive data in
/home/$user/.ssh/
,/tmp/
,/var/log/
, etc. and plus you may want to put the BitLocker key in there as well for Dislocker and keep them safe in case of losing the laptop.
- Yes. There may be sensitive data in
- Should I encrypt
/boot
or just/?
- Just
/
. Encrypting/boot
provides only somewhat protection against the kind of Evil Maid where someone changes the kernel and include a keylogger. This require physical access, and if they have that they can do more, either:- Install another Ubuntu and connect to the Internet to upload password
- Install a hardware key logger
- Swap it out for a same-looking machine
- My goal was to only protect against theft and loss, not to protect against
these advanced threats. To do this, you need to either:
- Encrypt
/boot
, which prevents only the swap of a kernel but not any of the three points above and is hard to implement. - Password protect BIOS, which makes it very risky when I forget the BIOS password and protects only against the kernel swap and threat #1. I consider it not worthy for it adds significant risk only to protect against the first threat, which is unlikely as I would have to be specifically targeted by very technical people (they probably could also disable the password protection or install the keylogger too but I haven't researched much about this).
- IDK what more could be done.
- Encrypt
- Bottom line: never trust the device once it's been tempered with.
- Just
- How should I encrypt? LUKS?
- LUKS, I don't want my directory structure to be seen and I want to just use ext4.
- LVM on LUKS or LUKS on LVM?
- LVM on LUKS, the usual setup with less hassle and I don't need multi-disk LUKS anyways as this is a single-disk laptop.
- Will dual booting mess up the Windows boot loader?
- Should not, since removing GRUB requires only the removal of its entries from the EFI partition.
- How to avoid too many password prompts?
- Should have only one prompt at boot when the kernel asks for the password to decrypt the file systems, and another for normal logins.
- How to dual boot and install with encryption?
- Here is the original guide which I based this one on: Encrypting disks on Ubuntu 19.04
- With these questions answered, we can perform the installation.
Post Install
- Adjust the boot sequence in UEFI if you want to boot Windows first.
$ timedatectl set-local-rtc 1 --adjust-system-clock
to prevent different system clock time when dual booting.- Install and configure Dislocker to access Windows BitLocker drives.