1.1. Ubuntu

This chapter describes the installation of Ubuntu on a Dell XPS 15 laptop. This will be a dual boot setup with Windows 10 and Ubuntu 19.10. Ubuntu will be installed using LVM on top of a LUKS encrypted partition.

More details may be found in the articles this chapter is adapted from:

1.1.1. Pre-installation

Boot Ubuntu from a Live OS and select the option Try Ubuntu without installing.

Partition your drive using your favorite tool, for example GParted. Create a small partition for the boot process that cannot be encrypted, otherwise you won’t be able to boot. Create another partition for your data that will be encrypted.

If your device is /dev/nvme0n1, the partitions may look like this:

Partition

Name

Size

Mount point

Filesystem

/dev/nvme0n1p1

EFI

500 Mo

FAT32

/dev/nvme0n1p2

Windows 10 MSR

128 Mo

/dev/nvme0n1p3

Windows 10

300 Go

BitLocker

/dev/nvme0n1p4

1 Go

NTFS

/dev/nvme0n1p5

Windows 10 Recovery

1 Go

NTFS

/dev/nvme0n1p6

Ubuntu Boot

1 Go

/boot

EXT4

/dev/nvme0n1p7

Ubuntu

650 Go

LUCKS

Create the encrypted partition:

1sudo cryptsetup luksFormat /dev/nvme0n1p7
2sudo cryptsetup luksOpen   /dev/nvme0n1p7 hdcrypt  # <1>
3
4# <1> the name 'hdcrypt' is arbitrary

While not necessary, it’s a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data:

1sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
2sudo apt install -y pv  # <1>
3sudo sh -c 'exec pv -tprebB 16 m /dev/zero >"$1"' _ /dev/mapper/hdcrypt
4
5# <1> 'pv' is a progress bar indicator

Setup LVM on your encrypted partition:

Warning

The size of the Swap partition must be larger than the total amount of RAM if you want the system to be able to hibernate.

 1sudo pvcreate /dev/mapper/hdcrypt
 2sudo vgcreate vgcrypt /dev/mapper/hdcrypt    # <1>
 3
 4sudo lvcreate -n lvswap -L 40g vgcrypt       # <2>
 5sudo lvcreate -n lvroot -l 100%FREE vgcrypt  # <3>
 6
 7sudo mkswap /dev/mapper/vgcrypt-lvswap
 8sudo mkfs.ext4 /dev/mapper/vgcrypt-lvroot
 9
10# <1> the name 'vgcrypt' is arbitrary
11# <2> the name 'lvswap' is arbitrary
12# <3> the name 'lvroot' is arbitrary

1.1.2. Installation

You’re now ready to install Ubuntu:

Danger

When the installation is complete, DO NOT REBOOT! Choose the option Continue Testing.

  1. At the “Installation type” step of the install, choose the Something else option

  2. Assign the partition /dev/mapper/vgcrypt-lvroot to / using an ext4 filesystem

  3. Assign the partition /dev/mapper/vgcrypt-lvswap to the swap filesystem

  4. Assign the partition /dev/nvme0n1p6 to /boot using an ext4 filesystem

  5. Change the Device for boot loader installation to /dev/nvme0n1p6

  6. Continue with the installation but DO NOT REBOOT: choose the option Continue Testing

1.1.3. Post-installation

Take note of the UUID (not the PARTUUID) of the encrypted partition /dev/nvme0n1p7. This can be found by typing in a terminal:

1sudo blkid /dev/nvme0n1p7
2# /dev/nvme0n1p7: UUID="10b2c03f-69f4-49b8-8ca9-43f9ad665bc6" TYPE="crypto_LUKS" PARTLABEL="Ubuntu-18.04" PARTUUID="563a548a-e79f-41e7-8f6b-edb9b24c506f"

Mount the newly installed system:

1sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
2sudo mount /dev/nvme0n1p6             /mnt/boot
3sudo mount /dev/nvme0n1p1             /mnt/boot/efi
4
5sudo mount --bind  /dev  /mnt/dev
6sudo mount --bind  /proc /mnt/proc
7sudo mount --rbind /sys  /mnt/sys
8
9sudo chroot /mnt/

Declare the encrypted partition with crypttab. Create the file /etc/crypttab with the following content, replacing the UUID with the UUID of your disk:

/etc/crypttab
1# <target name>  <source device>                            <key file>  <options>
2hdcrypt          UUID=10b2c03f-69f4-49b8-8ca9-43f9ad665bc6  none        luks

Note

You may find some tutorials saying to:

  • change the boot loader configuration in /etc/default/grub

  • add the configuration file /etc/initramfs-tools/conf.d/cryptroot

None of these steps are required.

Regenerate all the boot images and the boot loader configuration:

1update-initramfs -k all -c
2update-grub

Exit the chroot environment with Control-D.

Unmount the newly installed system:

1sudo umount /mnt/sys /mnt/proc /mnt/dev /mnt/boot/efi /mnt/boot /mnt/

1.1.4. First boot

Now you can reboot.

If the boot process get stuck at the LUKS password screen:

  1. Reboot in recovery mode

  2. Enter the LUKS password when requested

  3. Resume normal boot with resume.

Save the LUKS header to a secure location in case it gets corrupted:

1sudo cryptsetup luksHeaderBackup /dev/nvme0n1p7 --header-backup-file /luks-header.bin.crypt

You’re finally ready to install the last updates and do some cleanup:

1sudo apt update
2sudo apt upgrade
3sudo apt autoremove

1.1.5. How-to

1.1.5.1. How to resize an encrypted partition

Warning

Backup all your data! There is a good chance something will go wrong…

Boot from a LiveCD then:

 1sudo apt update
 2sudo apt install -y lvm2 cryptsetup
 3
 4sudo modprobe dm-crypt
 5sudo cryptsetup luksOpen /dev/nvme0n1p7 vgcrypt
 6sudo vgscan --mknodes
 7sudo vgchange -ay
 8
 9sudo pvdisplay -m
10
11sudo cryptsetup resize vgcrypt
12sudo pvresize /dev/mapper/vgcrypt
13
14sudo pvchange -x y         /dev/mapper/vgcrypt
15sudo lvresize -l +100%FREE /dev/vgcrypt/lvroot
16sudo pvchange -x n         /dev/mapper/vgcrypt
17
18sudo e2fsck -f    /dev/vgcrypt/lvroot
19sudo resize2fs -p /dev/vgcrypt/lvroot

1.1.5.2. How to repair Grub with an encrypted partition from a LiveCD

Warning

Backup all your data! There is some chance something will go wrong…

Boot from a LiveCD then:

 1sudo cryptsetup luksOpen /dev/nvme0n1p7 hdcrypt
 2sudo vgscan
 3sudo vgchange -ay
 4sudo lvscan
 5
 6sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
 7sudo mount /dev/nvme0n1p6             /mnt/boot
 8sudo mount /dev/nvme0n1p1             /mnt/boot/efi
 9
10sudo mount --bind  /dev  /mnt/dev
11sudo mount --bind  /proc /mnt/proc
12sudo mount --rbind /sys  /mnt/sys
13
14sudo chroot /mnt/
15
16# repair with boot-repair, or with your bare hands ;-)
17grub-install /dev/nvme0n1
18grub-install --recheck /dev/nvme0n1
19update-grub
20
21# you may check the filesystem (see below)
22
23exit
24
25sudo umount /mnt/boot/efi /mnt/boot /mnt/dev /mnt/sys /mnt/proc /mnt/

1.1.5.3. How to check an encrypted partition from a LiveCD

Warning

Backup all your data!

Boot from a LiveCD then:

 1sudo cryptsetup luksOpen /dev/nvme0n1p7 hdcrypt
 2sudo vgscan
 3sudo vgchange -ay
 4sudo lvscan
 5
 6sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
 7sudo mount /dev/nvme0n1p6             /mnt/boot
 8sudo mount /dev/nvme0n1p1             /mnt/boot/efi
 9
10sudo mount --bind  /dev  /mnt/dev
11sudo mount --bind  /proc /mnt/proc
12sudo mount --rbind /sys  /mnt/sys
13
14sudo chroot /mnt/
15
16fdisk -l
17umount /dev/mapper/vgcrypt-lvroot
18fsck -p /dev/mapper/vgcrypt-lvroot
19
20exit
21
22sudo umount /mnt/boot/efi /mnt/boot /mnt/dev /mnt/sys /mnt/proc /mnt/