Last active
July 17, 2023 13:21
-
-
Save gdiaz384/2eccb1c7dbb825361280d93a35359f3d to your computer and use it in GitHub Desktop.
This script attempts to semi-automate installing Ubuntu/Kubuntu with Full Disk Encryption (FDE) in GPT/UEFI mode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#Description: This script attempts to semi-automate installing Ubuntu/Kubuntu with Full Disk Encryption (FDE) in GPT/UEFI mode. This script is intended to work together with the GUI and some user interaction. | |
#Background: FDE means that /boot is also encrypted. By default, the Graphical User Interface (GUI) only supports encrypting the lvm partition which leaves binary files exposed. There is no security benefit to having a larger attack surface. | |
#Credits: Based on https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 | |
#Changes: reduced amount of user interaction, removed swap lvm partition, increased partition sizes | |
#Bugs: Only works for Ubuntu/Kubuntu version 2204. It should be possible to backport it to previous LTS versions by updating the strings used in creating/detecting lvm volumes. | |
#Sometimes the GRUB installer refuses to install. Known workarounds: Unknown. | |
#Sometimes the system will kernel panic after login. Known workarounds: Boot in native UEFI mode. | |
#Usage: | |
# 1) Boot Ubuntu installation media | |
# 2) Select "Try Ubuntu". | |
# 3) Open Terminal. | |
# 4) Change to root 'sudo su -' or 'sudo -i'. | |
# 5) Download this script using 'wget' . | |
# 6) Mark as executable: chmod +x installKubuntu.sh | |
# 7) Run this script: ./installKubuntu.sh | |
# 8) Enter the disk to install to: 'sda', 'nvme01'. | |
# 9) Enter a password that will be used to unlock /boot and /. | |
# 10) Switch to GUI: NotStartMenu->System->Install Kubuntu | |
# 11) Select Language->Keyboard->Software->Disk (Manual) | |
# 12) Select "/dev/mapper/LUKS_BOOT" (ext4) -> Change... Select the child entry that has a Size, not the parent. | |
# 13) Use as: Ext4, Format: Yes, Mount Point: /boot -> OK | |
# 14) Select "/dev/mapper/vgkubuntu-root" -> Change... Select the child entry that has a Size, not the parent. | |
# 15) Use as: Ext4, Format: Yes, Mount Point: / -> OK | |
# 16) Device for boot loader installation: select the disk used in #8; Select the parent entry (sda), not the children (sda1). | |
# 17) Install Now->Continue->Select Timezone | |
# 18) Select username, enter a password for the user x2 (required), computer name->Continue | |
# 19) Wait for GUI install to say "Restart Now" or "Continue Testing". | |
# 20) Back to CLI: Once installation is complete, press a single key on the keyboard and wait. | |
# 21) Reboot the PC once the script says finished. | |
# 22) To finish rebooting, remove the installation media and press Enter. | |
############################################################################ | |
#check if root | |
if [ $EUID == 0 ] ; then lsblk ; else echo This script must be run as root. && exit 1 ; fi | |
#lsblk | |
read -p "Enter raw device ID without /dev/ to install to, e.g. \"sda\": " DM | |
export DEV=/dev/$DM | |
export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )" | |
export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )" | |
#The export command does not work, so just use files instead. | |
#echo DM=$DM > DM.txt | |
#echo DEV=$DEV > DEV.txt | |
#echo DEVP=$DEVP > DEVP.txt | |
echo $DM > DM.txt | |
echo $DEV > DEV.txt | |
echo $DEVP > DEVP.txt | |
echo -e "\nCurrent contents of $DEV:" | |
sgdisk --print $DEV | |
read -r -p "Press enter encryption password for volumes:" password | |
echo $password > password.txt | |
echo YES > YES.txt | |
#recreate partitions | |
#Yes, these are all really necessary. Removing any of them causes fatal errors. | |
sgdisk --zap-all $DEV | |
sgdisk --new=1:0:+2048M $DEV | |
sgdisk --new=2:0:+2M $DEV | |
sgdisk --new=3:0:+300M $DEV | |
sgdisk --new=5:0:0 $DEV | |
sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV | |
sgdisk --change-name=1:boot --change-name=2:GRUB --change-name=3:EFI --change-name=5:rootfs $DEV | |
sgdisk --hybrid 1:2:3 $DEV | |
sgdisk --print $DEV | |
#grub does not decrypt luks2 volumes properly | |
cryptsetup luksFormat --type=luks1 ${DEVP}1 < YES.txt < password.txt | |
cryptsetup luksFormat --type=luks2 ${DEVP}5 < YES.txt < password.txt | |
cryptsetup open ${DEVP}1 LUKS_BOOT < password.txt | |
cryptsetup open ${DEVP}5 ${DM}5_crypt < password.txt | |
#format file systems | |
mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT | |
mkfs.vfat -F 32 -n EFI ${DEVP}3 | |
flavour="$( sed -n 's/.*cdrom:\[\([^ ]*\).*/\1/p' /etc/apt/sources.list )" | |
release="$( lsb_release -sr | tr -d . )" | |
if [ ${release} -ge 2204 ]; then VGNAME="vg${flavour,,}"; else VGNAME="${flavour}--vg"; fi | |
export VGNAME | |
pvcreate /dev/mapper/${DM}5_crypt | |
vgcreate "${VGNAME}" /dev/mapper/${DM}5_crypt | |
#lvcreate -L 4G -n swap_1 "${VGNAME}" | |
lvcreate -l 100%FREE -n root "${VGNAME}" | |
#read -n1 -r -p "Please set up user accounts. Press a key once account setup is complete in the GUI installer." key2 | |
echo -e "\n" | |
echo Note: The installation should still be in progress. Waiting for install to complete... | |
while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg | |
#sleep 5 | |
read -n1 -r -p "Press a key to continue once installation is complete." key3 | |
echo -e "\n" | |
#prepare chroot environment | |
mount /dev/mapper/${VGNAME}-root /target | |
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done | |
#prepare chroot script | |
file=installKubuntu2204.temp.sh | |
echo \#\!/bin/bash > $file | |
echo -e "\n" >> $file | |
echo mount -a >> $file | |
echo -e "\n" >> $file | |
echo \#read variable names again since export did not export them >> $file | |
echo read -d \$\'\\x04\' DM \< DM.txt >> $file | |
echo read -d \$\'\\x04\' DEV \< DEV.txt >> $file | |
echo read -d \$\'\\x04\' DEVP \< DEVP.txt >> $file | |
echo -e "\n" >> $file | |
echo \#create keyfile >> $file | |
echo echo \"KEYFILE_PATTERN=/etc/luks/*.keyfile\" \>\> /etc/cryptsetup-initramfs/conf-hook >> $file | |
echo echo \"UMASK=0077\" \>\> /etc/initramfs-tools/initramfs.conf >> $file | |
echo mkdir /etc/luks >> $file | |
#512 bytes = 4096 bits; 2048 bytes = 16384 bits | |
echo dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=2048 count=1 >> $file | |
echo chmod u=rx,go-rwx /etc/luks >> $file | |
echo chmod u=r,go-rwx /etc/luks/boot_os.keyfile >> $file | |
echo -e "\n" >> $file | |
echo cryptsetup luksAddKey \${DEVP}1 /etc/luks/boot_os.keyfile \< password.txt >> $file | |
echo cryptsetup luksAddKey \${DEVP}5 /etc/luks/boot_os.keyfile \< password.txt >> $file | |
echo echo \"LUKS_BOOT UUID=\$\(blkid -s UUID -o value \${DEVP}1\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file | |
echo echo \"\${DM}5_crypt UUID=\$\(blkid -s UUID -o value \${DEVP}5\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file | |
echo -e "\n" >> $file | |
echo update-initramfs -u -k all >> $file | |
echo -e "\n" >> $file | |
echo rm password.txt >> $file | |
echo rm DM.txt >> $file | |
echo rm DEV.txt >> $file | |
echo rm DEVP.txt >> $file | |
echo rm $file >> $file | |
echo -e "\n" >> $file | |
echo echo Done. Please reboot. >> $file | |
echo -e "\n" >> $file | |
#copy resources to /target | |
rm password.txt | |
echo $password > /target/password.txt | |
cp DM.txt /target/DM.txt | |
cp DEV.txt /target/DEV.txt | |
cp DEVP.txt /target/DEVP.txt | |
cp ./installKubuntu2204.sh /target/installKubuntu2204.sh | |
chmod +x $file | |
cp ./$file /target/$file | |
#chroot /target | |
chroot /target /bin/bash $file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment