1.1. Ubuntu
This chapter describes the installation of Ubuntu on a Dell XPS 15 laptop. This will be a dual boot setup with Windows 10 and Ubuntu 19.10. Ubuntu will be installed using LVM on top of a LUKS encrypted partition.
More details may be found in the articles this chapter is adapted from:
1.1.1. Pre-installation
Boot Ubuntu from a Live OS and select the option Try Ubuntu without installing.
Partition your drive using your favorite tool, for example GParted. Create a small partition for the boot process that cannot be encrypted, otherwise you won’t be able to boot. Create another partition for your data that will be encrypted.
If your device is /dev/nvme0n1
, the partitions may look like this:
Partition |
Name |
Size |
Mount point |
Filesystem |
---|---|---|---|---|
/dev/nvme0n1p1 |
EFI |
500 Mo |
FAT32 |
|
/dev/nvme0n1p2 |
Windows 10 MSR |
128 Mo |
||
/dev/nvme0n1p3 |
Windows 10 |
300 Go |
BitLocker |
|
/dev/nvme0n1p4 |
1 Go |
NTFS |
||
/dev/nvme0n1p5 |
Windows 10 Recovery |
1 Go |
NTFS |
|
/dev/nvme0n1p6 |
Ubuntu Boot |
1 Go |
/boot |
EXT4 |
/dev/nvme0n1p7 |
Ubuntu |
650 Go |
LUCKS |
Create the encrypted partition:
1sudo cryptsetup luksFormat /dev/nvme0n1p7
2sudo cryptsetup luksOpen /dev/nvme0n1p7 hdcrypt # <1>
3
4# <1> the name 'hdcrypt' is arbitrary
While not necessary, it’s a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data:
1sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe"
2sudo apt install -y pv # <1>
3sudo sh -c 'exec pv -tprebB 16 m /dev/zero >"$1"' _ /dev/mapper/hdcrypt
4
5# <1> 'pv' is a progress bar indicator
Setup LVM on your encrypted partition:
Warning
The size of the Swap partition must be larger than the total amount of RAM if you want the system to be able to hibernate.
1sudo pvcreate /dev/mapper/hdcrypt
2sudo vgcreate vgcrypt /dev/mapper/hdcrypt # <1>
3
4sudo lvcreate -n lvswap -L 40g vgcrypt # <2>
5sudo lvcreate -n lvroot -l 100%FREE vgcrypt # <3>
6
7sudo mkswap /dev/mapper/vgcrypt-lvswap
8sudo mkfs.ext4 /dev/mapper/vgcrypt-lvroot
9
10# <1> the name 'vgcrypt' is arbitrary
11# <2> the name 'lvswap' is arbitrary
12# <3> the name 'lvroot' is arbitrary
1.1.2. Installation
You’re now ready to install Ubuntu:
Danger
When the installation is complete, DO NOT REBOOT! Choose the option Continue Testing.
At the “Installation type” step of the install, choose the Something else option
Assign the partition
/dev/mapper/vgcrypt-lvroot
to/
using anext4
filesystemAssign the partition
/dev/mapper/vgcrypt-lvswap
to theswap
filesystemAssign the partition
/dev/nvme0n1p6
to/boot
using anext4
filesystemChange the
Device for boot loader installation
to/dev/nvme0n1p6
Continue with the installation but DO NOT REBOOT: choose the option Continue Testing
1.1.3. Post-installation
Take note of the UUID (not the PARTUUID) of the encrypted partition /dev/nvme0n1p7
.
This can be found by typing in a terminal:
1sudo blkid /dev/nvme0n1p7
2# /dev/nvme0n1p7: UUID="10b2c03f-69f4-49b8-8ca9-43f9ad665bc6" TYPE="crypto_LUKS" PARTLABEL="Ubuntu-18.04" PARTUUID="563a548a-e79f-41e7-8f6b-edb9b24c506f"
Mount the newly installed system:
1sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
2sudo mount /dev/nvme0n1p6 /mnt/boot
3sudo mount /dev/nvme0n1p1 /mnt/boot/efi
4
5sudo mount --bind /dev /mnt/dev
6sudo mount --bind /proc /mnt/proc
7sudo mount --rbind /sys /mnt/sys
8
9sudo chroot /mnt/
Declare the encrypted partition with crypttab
.
Create the file /etc/crypttab
with the following content, replacing the UUID with the UUID of your disk:
1# <target name> <source device> <key file> <options>
2hdcrypt UUID=10b2c03f-69f4-49b8-8ca9-43f9ad665bc6 none luks
Note
You may find some tutorials saying to:
change the boot loader configuration in
/etc/default/grub
add the configuration file
/etc/initramfs-tools/conf.d/cryptroot
None of these steps are required.
Regenerate all the boot images and the boot loader configuration:
1update-initramfs -k all -c
2update-grub
Exit the chroot environment with Control-D.
Unmount the newly installed system:
1sudo umount /mnt/sys /mnt/proc /mnt/dev /mnt/boot/efi /mnt/boot /mnt/
1.1.4. First boot
Now you can reboot.
If the boot process get stuck at the LUKS password screen:
Reboot in recovery mode
Enter the LUKS password when requested
Resume normal boot with resume.
Save the LUKS header to a secure location in case it gets corrupted:
1sudo cryptsetup luksHeaderBackup /dev/nvme0n1p7 --header-backup-file /luks-header.bin.crypt
You’re finally ready to install the last updates and do some cleanup:
1sudo apt update
2sudo apt upgrade
3sudo apt autoremove
1.1.5. How-to
1.1.5.1. How to resize an encrypted partition
Warning
Backup all your data! There is a good chance something will go wrong…
Boot from a LiveCD then:
1sudo apt update
2sudo apt install -y lvm2 cryptsetup
3
4sudo modprobe dm-crypt
5sudo cryptsetup luksOpen /dev/nvme0n1p7 vgcrypt
6sudo vgscan --mknodes
7sudo vgchange -ay
8
9sudo pvdisplay -m
10
11sudo cryptsetup resize vgcrypt
12sudo pvresize /dev/mapper/vgcrypt
13
14sudo pvchange -x y /dev/mapper/vgcrypt
15sudo lvresize -l +100%FREE /dev/vgcrypt/lvroot
16sudo pvchange -x n /dev/mapper/vgcrypt
17
18sudo e2fsck -f /dev/vgcrypt/lvroot
19sudo resize2fs -p /dev/vgcrypt/lvroot
1.1.5.2. How to repair Grub with an encrypted partition from a LiveCD
Warning
Backup all your data! There is some chance something will go wrong…
Boot from a LiveCD then:
1sudo cryptsetup luksOpen /dev/nvme0n1p7 hdcrypt
2sudo vgscan
3sudo vgchange -ay
4sudo lvscan
5
6sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
7sudo mount /dev/nvme0n1p6 /mnt/boot
8sudo mount /dev/nvme0n1p1 /mnt/boot/efi
9
10sudo mount --bind /dev /mnt/dev
11sudo mount --bind /proc /mnt/proc
12sudo mount --rbind /sys /mnt/sys
13
14sudo chroot /mnt/
15
16# repair with boot-repair, or with your bare hands ;-)
17grub-install /dev/nvme0n1
18grub-install --recheck /dev/nvme0n1
19update-grub
20
21# you may check the filesystem (see below)
22
23exit
24
25sudo umount /mnt/boot/efi /mnt/boot /mnt/dev /mnt/sys /mnt/proc /mnt/
1.1.5.3. How to check an encrypted partition from a LiveCD
Warning
Backup all your data!
Boot from a LiveCD then:
1sudo cryptsetup luksOpen /dev/nvme0n1p7 hdcrypt
2sudo vgscan
3sudo vgchange -ay
4sudo lvscan
5
6sudo mount /dev/mapper/vgcrypt-lvroot /mnt/
7sudo mount /dev/nvme0n1p6 /mnt/boot
8sudo mount /dev/nvme0n1p1 /mnt/boot/efi
9
10sudo mount --bind /dev /mnt/dev
11sudo mount --bind /proc /mnt/proc
12sudo mount --rbind /sys /mnt/sys
13
14sudo chroot /mnt/
15
16fdisk -l
17umount /dev/mapper/vgcrypt-lvroot
18fsck -p /dev/mapper/vgcrypt-lvroot
19
20exit
21
22sudo umount /mnt/boot/efi /mnt/boot /mnt/dev /mnt/sys /mnt/proc /mnt/