Skip to content

Instantly share code, notes, and snippets.

@bjohas
Last active September 9, 2023 21:45
Show Gist options
  • Save bjohas/84c83982a24f34a6dc4bfbb38ca2a1e8 to your computer and use it in GitHub Desktop.
Save bjohas/84c83982a24f34a6dc4bfbb38ca2a1e8 to your computer and use it in GitHub Desktop.

I use Ubuntu (20.04 LTS, now 22.04 LTS) as my main operating system. Some background on switching from OS X to Ubuntu here: https://github.com/bjohas/Ubuntu-keyboard-map-like-OS-X. I don't really use Windows at all, and I am surprised with how the intial setup of Windows has gone wrong for some of my friends (missing dlls, etc etc). However, there are a few 'OS X / Windows only things' and with a larger SSD on a new laptop, I thought I'd preserve Windows. E.g., 'OS X / Windows only things' include Adobe Creative Suite, as well as using Oculus/Meta Quest 2 via a PC connection.

Dual booting Ubuntu and Windows with encryption (for Ubuntu 22.04 LTS)

I used these instructions to dual-boot-ubuntu-and-windows-with-encryption.md https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html

Dual-booting with encrypted storage should not be this hard in 2020 2022.

Me - quoting https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html

I'm using the same 'phase' numbers as the above.

The systems I have set up this way:

  • Dell XPS 13 9310 (16GB, 1TB), touch screen, with windows installed (factory settings);
  • Dell XPS 13 9310 (16GB, 512GB), non-touch screen, with windows installed (factory settings).

Note. I've typed this after the installation to create a record of it. I hope I've got all the commands correct, but there may be errors. Check Mike Kasberg's blog as needed.

Phases 1-3

(Added 2022-06-11): If you are an Ubuntu user, then you may be setting Windows up from scratch. That means you'll have to

  • select keyboard
  • connect to a network
  • accept licence terms
  • name the device
  • sign in with a microsoft account + password (unless you have a security key - but basically, there doesn't seem to be a way around that.
  • you can skip face login
  • create a pin
  • answer a bunch of data sharing options
  • skip customise experience
  • backup options
  • decline office365
  • decline game pass The install will then get updates. "This might take a few minutes. Don't turn off your PC." Hopefully you'll then be logged in.

Otherwise: Just boot into windows. Windows key, type 'create and format hard disk partitions'. 'Disk management' opens.

Right click on (typically) C:, and 'shrink disk'. On the 1TB machine, I shrank the C-disk to 100GB, which should give plenty of space for additional applications in Windows. This left me about 830 GB or so for Ubuntu. On the 512GB machine, I shrank the disk to 33.40 GB (the smallest that was offered). You should now see, e.g., on the 512GB machine:

  • 100 MB EFI
  • (C:) 33.40 GB NTFS
  • 442.GB Unallocated
  • 611 MB Recovery

I also disabled bitlocker (recommeded in some tutorials for dual boot). Not all versions of windows seem to have this.

Put in your 22.04 LTS USB stick, boot the XPS and type F12, select USB stick, continue boot and 'try ubuntu'.

Phase 3: Partition the drive for Ubuntu

As noted in the tutorial above, your device may vary. For my machine, the device was /dev/nvme0n1. Open a terminal.

So for convenience I set

DEV=/dev/nvme0n1

I can then run

sudo sgdisk --print $DEV

On the 1TB, partitions 1-6 were used by Windows, while the large 830 GB partition was 7. So for convenience I set

BOOT=7
ROOT=8

In other words, the plan is to create two partitions (7 and 8), one for boot (7) and one for the root fs (8).

For the 512GB machine, it looks like partitions 1-4 were used. Not sure why that's different. The first four come up as

  • 1 EFI system (100 MiB)
  • 2 Microsoft reserved (16MiB)
  • 3 Basical data partition (33.4GiB)
  • 4 (no label) (611MiB)

So I set

BOOT=5
ROOT=6

So I can now do

sudo sgdisk --new=$BOOT:0:+768M $DEV

For the 512GB machine, this worked. On the 1TB I got the message that 7 was already used. So I ran:

sudo sgdisk -d $BOOT $DEV

After that, I could run:

sudo sgdisk --new=$BOOT:0:+768M $DEV
sudo sgdisk --new=$ROOT:0:0 $DEV
sudo sgdisk --change-name=$BOOT:/boot --change-name=$ROOT:rootfs $DEV

Check:

sudo sgdisk --print $DEV

You'll see two new partitions with numbers $BOOT and $ROOT

  • 768 MiB /boot
  • 442.1 GiB rootfs (e.g., on the 512GB machine)

The typecode '8300' was already set, but I ran this anyway:

sudo sgdisk --typecode=$BOOT:8300 --typecode=$ROOT:8300 $DEV

I then tried

sudo mkfs.ext4 -L boot ${DEV}p${BOOT}

This worked on the 512GB, but on the 1TB it failed with 'device busy' (might have been because I had GUI apps open). I rebooted, then it worked:

DEV=/dev/nvme0n1
BOOT=7
ROOT=8
sudo mkfs.ext4 -L boot ${DEV}p${BOOT}

Check:

sudo sgdisk --print $DEV

cryptsetup

Now cryptsetup:

sudo cryptsetup luksFormat ${DEV}p${ROOT}
sudo cryptsetup open ${DEV}p${ROOT} xpscrypt

Double check the volume that you are overwriting and enter passwords.

Note that whatever you chose here (xpscrypt) will be what appears when you are asked to unlock the disk. Also note that Mike Kasberg's blog suggested LUKS v1 here, but I removed that option. Apparently there's LUKS v2 which will work for the root partition. So I thought I'd just go with what cryptsetup offers by default.

You can check that xpscrypt exists: ls /dev/mapper/. I then set:

XC=/dev/mapper/xpscrypt 

and ran the following commands to create physical and logical volumes for swap and root:

sudo pvcreate $XC
sudo vgcreate ubuntu-vg $XC
sudo lvcreate -L 16G -n swap_1 ubuntu-vg
sudo lvcreate -l 100%FREE -n root ubuntu-vg

If you are typing this in, note that the last command has a -l (lower case). I've used 16 GB as swap, as I have 16 GB as RAM. There are various opinions about how to set your swap, and you might be able to use less.

Note that this creates a swap and the root partition. There is a school of thought that a /home partition is a good idea. That does mean that you can reinstall Ubuntu more easily (while keeping your files in /home extra safe). However, I don't really experiment with reinstalling Ubuntu often. Having a separate /home partition means that you have to decide up front on how much space you need for the OS part, and how much you need for /home. While I do not regularly reinstall Ubuntu, but I do regularly run out of disk space, so I prefer to just have /, without separate /home.

Phase 4: Now install Ubuntu (yay)

Going back from the terminal to the desktop, I now started the Ubuntu installer, went through the steps and eventually selected 'something else'.

The menu wasn't entirely obviously to me.

  • Basically, you need to use ~800M partition as ext4 with mount point /boot. In detail, this means: locate the partition (${DEV}p${BOOT}), highlight it, select 'change', then select 'ext4', then select /boot

The other two will be under /dev/mapper

  • Then, use /dev/mapper/ubuntu--vg-root as ext4 with mount point /. In detail, this means 'change', then select 'ext4', then select /
  • Then, se /dev/mapper/ubuntu--vg-swap_1 as swap. This means 'change', then select 'swap area'

The bootloader device should be $DEV. For me this was selected already. mikekasberg commented: "though it appears that this setting might not actually be used in UEFI mode"

Finish and run the installer (time passes) and 'continue testing'

Then, run this installer. ... time passes ... When the installer is finished, select 'continue Testing'.

Setting up the boot correctly

Run this

sudo blkid $DEV

and record the UUID of the device as $UUID. We'll use it below. You can run this

echo "xpscrypt UUID=$UUID none luks,discard"

and save the result for later.

echo "xpscrypt UUID=$UUID none luks,discard" | tee dev-uuid.txt

Then a set of commands that aren't entirely obviously to me, but running them worked:

sudo mount /dev/mapper/ubuntu--vg-root /target
sudo mount ${DEV}p${BOOT} /target/boot
sudo su
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
chroot /target 

Stay in the chroot and continue

mount -a

Stay in the chroot. Create crypttab. On the 1TB, this file didn't exist; on the 512GB it did.

ls /etc/crypttab

So I do:

sudo nano /etc/crypttab

and paste the string you saved above (i.e., xpscrypt UUID=$UUID none luks,discard with $UUID from above). Save and quit nano, but stay in chroot. Continue

update-initramfs -k all -c

If you get errors check the UUID etc.

Then exit, exit and you're done!

You are done!

Now reboot (e.g., sudo reboot). After boot, you should see the Ubuntu option in the grub menu alongside windows. Presumably you can now go back to windows and enable bitlocker again (but I haven't tried this). For some more thoughts, see Mike Kasberg's blog, which says

By default, your computer will boot into grub, which can boot Ubuntu. Although Windows is listed in grub, booting Windows from grub with BitLocker enabled won’t initially work because the system’s TPM will detect a change in the boot sequence. The easiest way to avoid this problem is to boot Windows directly from your computer’s BIOS boot menu - usually accessible by pressing F12 on startup.

Also of interest

@garyttirn
Copy link

Great instructions, worked well for Asus UX325 too. I did opt not to use LVM and thus not setup swap, I only have encrypted root.

I also incorporated TMP support during Ubuntu 22.04 installation while still in chroot and that worked well also.
https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/

@lazka
Copy link

lazka commented Nov 24, 2022

@bjohas I needed sudo blkid ${DEV}p${ROOT} instead of sudo blkid $DEV (Ubuntu 22.04).

And the original guide is using 1800M for boot now instead of 768M.

everything works otherwise, thanks for the guide!

@aronwolf90
Copy link

aronwolf90 commented Mar 28, 2023

I also needed sudo blkid ${DEV}p${ROOT}. The rest worked great

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment