Ubuntu 18.04 Manual partitioning setup with LUKS encryption and LVM - https://labbots.com/ubuntu-18-04-installation-with-luks-and-lvm

Ubuntu 18.04 setup.md

Ubuntu 18.04 installation with LUKS and LVM

Installation Process

Pre-installation from live OS

This setup of Ubuntu with LUKS and LVM is tested on Ubuntu 18.04.

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/nvme0n1.

1. Partition the drive with your tool of choice: I used gparted to set mine up.
   • Make sure the drive in which we are about to install is completely unallocated.
   • The first partition must always be the ESP partition. Set the following fields:
     • Free space preceding - Change only if required (it might not accept zero)
     • New Size - 550MiB
     • Free space following - (will be calculated automatically)
     • Align to - MiB
     • Partition Name - EFI System Partition
     • File System - fat32
     • Label - ESP
       • Press Add, and then the big green tick and "Apply".
       • Right-click your new partition (with the name "EFI System Partition") and select "Manage Flags".
       • Select "esp", which will automatically change a couple of other flags. Press Close.
   • The next partition would be Boot partition. Set the following fields:
     • Free space preceding - Automatic value
     • New Size - 1024 MiB
     • Free space following - (will be calculated automatically)
     • Align to - MiB
     • Partition Name - boot
     • File System - ext4
     • Label - boot
   • The next partition would be Encryption partition. Set the following fields:
     • Free space preceding - Automatic value
     • New Size - Entire space available
     • Free space following - (will be calculated automatically)
     • Align to - MiB
     • Partition Name - system
     • File System - cleared
     • Label - system
2. The resulting partition table will look as follows:
   • nvme0n1p1: EFI partition 550 MiB
   • nvme0n1p2: /boot (1G)
   • nvme0n1p3: LUKS partition (the rest of the disk)
3. Setup LUKS
   • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p3
   • sudo cryptsetup luksOpen /dev/nvme0n1p3 CryptDisk
   • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
4. Setup LVM on /dev/mapper/CryptDisk
   • sudo pvcreate /dev/mapper/CryptDisk
   • sudo vgcreate vg0 /dev/mapper/CryptDisk
   • sudo lvcreate -n swap -L 20G vg0
   • sudo lvcreate -n root -l +100%FREE vg0

---

Installation from live OS

4. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/nvme0n1p2 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot.
5. Press the "Change…" button and assign boot, swap and root (/) partition to installation partitions
6. Change the "Device for boot loader installation" to /dev/nvme0n1, and continue with installation.
7. When installation is complete, don't reboot! Choose the option to "Continue Testing".

---

Post-installation configuration from live OS

8. In a terminal, type the following and look for the UUID of /dev/nvme0n1p3. Take note of that UUID for later.

   • sudo blkid | grep LUKS
   • The important line on my machine reads /dev/nvme0n1p3: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"

9. Next lets get the newly installed system mounted again so we can make some more changes.

   • sudo mount /dev/vg0/root /mnt
   • sudo mount /dev/nvme0n1p2 /mnt/boot
   • sudo mount --bind /dev /mnt/dev
   • sudo mount --bind /run/lvm /mnt/run/lvm
   • sudo mount /dev/nvme0n1p1 /mnt/boot/efi

10. Now run sudo chroot /mnt to access the installed system

11. From the chroot, mount a couple more things - mount -t proc proc /proc - mount -t sysfs sys /sys - mount -t devpts devpts /dev/pts

12. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk. - CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard

13. Lastly, rebuild some boot files. - update-initramfs -k all -c - update-grub

14. Reboot, and the system should ask for a password to decrypt on boot!

---

Enabling System Hibernation

Configuring encrypted Swap

1. Identify the Swap partition path by viewing the fstab.
   • cat /etc/fstab
   • The swap path would look something like /dev/mapper/vg0-swap
2. Create a resume file in initramfs so the swap can be loaded at boot.
   • sudo gedit /etc/initramfs-tools/conf.d/resume
   • Add the following line to the file and save it RESUME=/dev/mapper/vg0-swap
3. Add the same value to the grub
   • sudo gedit /etc/default/grub
   • GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=/dev/mapper/vg0-swap"
4. Update kernel image and grub sudo update-initramfs -u -k all sudo update-grub

Enabling Hibernate

5. Test whether hibernate is supported in your system by manually running the hibernate command from the terminal sudo systemctl hibernate

6. If the hibernate works as expected then open the following snippet to the file.

   • sudo gedit /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla

7. Add the following snippet to the file and save it.

[Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes

[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes

8. Restart system after modifying the configuration.
9. Install the Hibernate status button gnome extension to add hibernate button to the GUI.

Enabling PM Utils

9. Install PM Utils using the following command. sudo apt install --assume-yes --quiet pm-utils
10. Check if your system supports hybrid suspend sudo pm-is-supported --suspend-hybrid && echo 'Hybrid suspend available' || echo 'Hybrid suspend NOT supported'
11. If hybrid suspend is supported then add the following lines to /etc/systemd/logind.conf

HandleSuspendKey=hybrid-sleep
HandleLidSwitch=hybrid-sleep

---

Nvidia Graphic driver issue

I had issues with suspend and hibernate when using Nvidia graphic driver (Quadro p1000). If you encounter such issues. Then add the following line to /etc/default/grub

GRUB_CMDLINE_LINUX="nouveau.blacklist=1 acpi_rev_override=1 acpi_osi=Linux acpiphp.disable=1 nouveau.modeset=0 pcie_aspm=force drm.vblankoffdelay=1 scsi_mod.use_blk_mq=1 nouveau.runpm=0 mem_sleep_default=deep"

Once the configuration is saved then run the following command to refresh grub sudo update-grub

---

References

1. Custom encryption setup on Ubuntu 18.04
2. Manual full system encryption on Ubuntu 18.04
3. Enable Hibernation on Ubuntu 18.04
4. Script to LUKS partioning installation
5. Guide on encrypted ubuntu installation with LUKS and LVM
6. Fix for suspend issue with Nvidia graphic driver in Ubuntu 18.04
7. Installing Nvidia graphics driver in Ubuntu 18.04
8. Method to disable Nouveau Nvidia driver

Thanks for great manual! Successfully used on ubuntu 20.04 until "Enabling System Hibernation" chapter.

Very well written, thanks !

I tried to install Ubuntu 20.04 this way and chose btrfs as the filesystem though, so all the "mount" commands were wrong (and at first I didn't understand why).
It would be great if you had time to write a version for doing it with btrfs, but else it would be good to put a warning that all the "mount" part would need to be adapted if one is to use btrfs...

I was in a hurry and am not an expert, so I restarted everything and used ext4 instead, so I can't tell you what works on btrfs alas.

Actually, I ran into another problem : sudo mount /dev/nvme0n1p1 /mnt/boot/efi tells me that "there is no /mnt/boot/efi".
So, since I did "sudo mount /dev/nvme0n1p2 /mnt/boot/" (and flagged nvm0n1p1 as "esp" per your instruction) I don't understand what causes that ?

There is no option to set nvme0n1p2 as "/boot" though in the installer, only as "zone réservée pour le chargeur d'amorçage BIOS" (biosgrub), so that's why I used. Is that a problem ?

Also, for the second partition, you say to use Partition "Name - boot, File System - ext4, Label - boot" and later that it should appear on Gparted as "/boot".
But no, it doesn't, it appears as "boot" (without slash).
I thought the name and label on Gparted had no consequences and were there just for clarity, was I wrong ?
Also I used 2 Go (and 1 Go for the ESP one) since I had bad experiences will /boot partitions getting full with old kernels, is that a problem ?

Actually the problem was that I tried to follow the "Don't forget to set /dev/nvme0n1p2 as /boot" a bit too literally : I was looking for a "boot" in the first dropdown list (and didn't found one so biosgrub was the most similar to it) instead of choosing ext4 format and then /boot as mounting point in the second dropdown list that appears after selecting the format.

Don't know whether other people may be prone to doing the same mistakes ?

step 13) (update-initramfs -k all -c - update-grub) didn't work for me; well to be honest, I did reboot after installation, but I started again from live usb, opened luks (cryptsetup luksOpen ... abc), mount all partitions and chroot, but when doing update-initramfs it complained, that I cannot access abc after chroot. Any idea what could be wrong?