gistfile1.txt

sgdisk --new=2:0:+768M $DEV
sgdisk --new=3:0:+2M $DEV
sgdisk --new=4:0:+128M $DEV
sgdisk --new=6:0:0 $DEV
sgdisk --typecode=2:8301 $DEV
sgdisk --typecode=3:ef02 $DEV
sgdisk --typecode=4:ef00 $DEV
sgdisk --typecode=6:8301 $DEV
sgdisk --change-name=2:/boot $DEV
sgdisk --change-name=3:GRUB $DEV
sgdisk --change-name=4:EFI-SP $DEV
sgdisk --change-name=6:rootfs $DEV
sgdisk --hybrid 2:3:4 $DEV

cryptsetup luksFormat --type=luks1 ${DEV}2

cryptsetup luksFormat --type=luks1 ${DEV}6

cryptsetup open ${DEV}2 LUKS_BOOT
cryptsetup open ${DEV}6 ${DM}6_crypt

mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
mkfs.vfat -F 16 -n EFI-SP ${DEV}4
pvcreate /dev/mapper/${DM}6_crypt
vgcreate ubuntu-vg /dev/mapper/${DM}6_crypt
lvcreate -L 16G -n swap_1 ubuntu-vg
lvcreate -l 80%FREE -n root ubuntu-vg

echo "GRUB_ENABLE_CRYPTODISK=y" >> /target/etc/default/grub

mount /dev/mapper/ubuntu--vg-root /target
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
chroot /target

mount -a

apt install -y cryptsetup-initramfs

echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook 
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf 

mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1

chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile

cryptsetup luksAddKey ${DEV}2 /etc/luks/boot_os.keyfile 

cryptsetup luksAddKey ${DEV}6 /etc/luks/boot_os.keyfile 

echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEV}2) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
echo "${DM}6_crypt UUID=$(blkid -s UUID -o value ${DEV}6) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

update-initramfs -u -k all