gdiaz384/installKubuntu2204.sh

## installKubuntu2204.sh
#!/bin/bash

#Description: This script attempts to semi-automate installing Ubuntu/Kubuntu with Full Disk Encryption (FDE) in GPT/UEFI mode. This script is intended to work together with the GUI and some user interaction.
#Background: FDE means that /boot is also encrypted. By default, the Graphical User Interface (GUI) only supports encrypting the lvm partition which leaves binary files exposed. There is no security benefit to having a larger attack surface.

#Credits: Based on https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
#Changes: reduced amount of user interaction, removed swap lvm partition, increased partition sizes
#Bugs: Only works for Ubuntu/Kubuntu version 2204. It should be possible to backport it to previous LTS versions by updating the strings used in creating/detecting lvm volumes.
#Sometimes the GRUB installer refuses to install. Known workarounds: Unknown.
#Sometimes the system will kernel panic after login. Known workarounds: Boot in native UEFI mode.

#Usage:
# 1) Boot Ubuntu installation media
# 2) Select "Try Ubuntu".
# 3) Open Terminal.
# 4) Change to root 'sudo su -' or 'sudo -i'.
# 5) Download this script using 'wget' .
# 6) Mark as executable: chmod +x installKubuntu.sh
# 7) Run this script: ./installKubuntu.sh
# 8) Enter the disk to install to: 'sda', 'nvme01'.
# 9) Enter a password that will be used to unlock /boot and /.
# 10) Switch to GUI: NotStartMenu->System->Install Kubuntu
# 11) Select Language->Keyboard->Software->Disk (Manual)
# 12) Select "/dev/mapper/LUKS_BOOT" (ext4) -> Change...  Select the child entry that has a Size, not the parent.
# 13) Use as: Ext4, Format: Yes, Mount Point: /boot -> OK
# 14) Select "/dev/mapper/vgkubuntu-root" -> Change...  Select the child entry that has a Size, not the parent.
# 15) Use as: Ext4, Format: Yes, Mount Point: / -> OK
# 16) Device for boot loader installation: select the disk used in #8; Select the parent entry (sda), not the children (sda1).
# 17) Install Now->Continue->Select Timezone
# 18) Select username, enter a password for the user x2 (required), computer name->Continue
# 19) Wait for GUI install to say "Restart Now" or "Continue Testing".
# 20) Back to CLI: Once installation is complete, press a single key on the keyboard and wait.
# 21) Reboot the PC once the script says finished.
# 22) To finish rebooting, remove the installation media and press Enter.


############################################################################

#check if root
if [ $EUID == 0 ] ; then lsblk ; else echo This script must be run as root. && exit 1 ; fi

#lsblk
read -p "Enter raw device ID without /dev/ to install to, e.g. \"sda\": " DM
export DEV=/dev/$DM
export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )"

#The export command does not work, so just use files instead.
#echo DM=$DM > DM.txt
#echo DEV=$DEV > DEV.txt
#echo DEVP=$DEVP > DEVP.txt

echo $DM > DM.txt
echo $DEV > DEV.txt
echo $DEVP > DEVP.txt

echo -e "\nCurrent contents of $DEV:"
sgdisk --print $DEV

read -r -p "Press enter encryption password for volumes:" password
echo $password > password.txt
echo YES > YES.txt

#recreate partitions
#Yes, these are all really necessary. Removing any of them causes fatal errors.
sgdisk --zap-all $DEV
sgdisk --new=1:0:+2048M $DEV
sgdisk --new=2:0:+2M $DEV
sgdisk --new=3:0:+300M $DEV
sgdisk --new=5:0:0 $DEV
sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV
sgdisk --change-name=1:boot --change-name=2:GRUB --change-name=3:EFI --change-name=5:rootfs $DEV
sgdisk --hybrid 1:2:3 $DEV
sgdisk --print $DEV

#grub does not decrypt luks2 volumes properly
cryptsetup luksFormat --type=luks1 ${DEVP}1 < YES.txt < password.txt
cryptsetup luksFormat --type=luks2 ${DEVP}5 < YES.txt < password.txt

cryptsetup open ${DEVP}1 LUKS_BOOT < password.txt
cryptsetup open ${DEVP}5 ${DM}5_crypt < password.txt

#format file systems
mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
mkfs.vfat -F 32 -n EFI ${DEVP}3

flavour="$( sed -n 's/.*cdrom:\[\([^ ]*\).*/\1/p' /etc/apt/sources.list )"
release="$( lsb_release -sr | tr -d . )"
if [ ${release} -ge 2204 ]; then VGNAME="vg${flavour,,}"; else VGNAME="${flavour}--vg"; fi
export VGNAME

pvcreate /dev/mapper/${DM}5_crypt
vgcreate "${VGNAME}" /dev/mapper/${DM}5_crypt
#lvcreate -L 4G -n swap_1 "${VGNAME}"
lvcreate -l 100%FREE -n root "${VGNAME}"

#read -n1 -r -p "Please set up user accounts. Press a key once account setup is complete in the GUI installer." key2
echo -e "\n"
echo Note: The installation should still be in progress. Waiting for install to complete...
while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg
#sleep 5

read -n1 -r -p "Press a key to continue once installation is complete." key3
echo -e "\n"

#prepare chroot environment
mount /dev/mapper/${VGNAME}-root /target
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done


#prepare chroot script
file=installKubuntu2204.temp.sh

echo \#\!/bin/bash > $file
echo -e "\n" >> $file

echo mount -a >> $file
echo -e "\n" >> $file

echo \#read variable names again since export did not export them >> $file
echo read -d \$\'\\x04\' DM \< DM.txt >> $file
echo read -d \$\'\\x04\' DEV \< DEV.txt >> $file
echo read -d \$\'\\x04\' DEVP \< DEVP.txt >> $file

echo -e "\n" >> $file

echo \#create keyfile >> $file
echo echo \"KEYFILE_PATTERN=/etc/luks/*.keyfile\" \>\> /etc/cryptsetup-initramfs/conf-hook >> $file
echo echo \"UMASK=0077\" \>\> /etc/initramfs-tools/initramfs.conf >> $file
echo mkdir /etc/luks >> $file
#512 bytes = 4096 bits; 2048 bytes = 16384 bits
echo dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=2048 count=1 >> $file
echo chmod u=rx,go-rwx /etc/luks >> $file
echo chmod u=r,go-rwx /etc/luks/boot_os.keyfile >> $file

echo -e "\n" >> $file

echo cryptsetup luksAddKey \${DEVP}1 /etc/luks/boot_os.keyfile \< password.txt >> $file
echo cryptsetup luksAddKey \${DEVP}5 /etc/luks/boot_os.keyfile \< password.txt >> $file
echo echo \"LUKS_BOOT UUID=\$\(blkid -s UUID -o value \${DEVP}1\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file
echo echo \"\${DM}5_crypt UUID=\$\(blkid -s UUID -o value \${DEVP}5\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file
echo -e "\n" >> $file

echo update-initramfs -u -k all >> $file
echo -e "\n" >> $file

echo rm password.txt >> $file
echo rm DM.txt >> $file
echo rm DEV.txt >> $file
echo rm DEVP.txt >> $file
echo rm $file >> $file
echo -e "\n" >> $file

echo echo  Done. Please reboot. >> $file
echo -e "\n" >> $file


#copy resources to /target
rm password.txt
echo $password > /target/password.txt
cp DM.txt /target/DM.txt
cp DEV.txt /target/DEV.txt
cp DEVP.txt /target/DEVP.txt
cp ./installKubuntu2204.sh /target/installKubuntu2204.sh
chmod +x $file
cp ./$file /target/$file


#chroot /target
chroot /target /bin/bash $file
	#!/bin/bash

	#Description: This script attempts to semi-automate installing Ubuntu/Kubuntu with Full Disk Encryption (FDE) in GPT/UEFI mode. This script is intended to work together with the GUI and some user interaction.
	#Background: FDE means that /boot is also encrypted. By default, the Graphical User Interface (GUI) only supports encrypting the lvm partition which leaves binary files exposed. There is no security benefit to having a larger attack surface.

	#Credits: Based on https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
	#Changes: reduced amount of user interaction, removed swap lvm partition, increased partition sizes
	#Bugs: Only works for Ubuntu/Kubuntu version 2204. It should be possible to backport it to previous LTS versions by updating the strings used in creating/detecting lvm volumes.
	#Sometimes the GRUB installer refuses to install. Known workarounds: Unknown.
	#Sometimes the system will kernel panic after login. Known workarounds: Boot in native UEFI mode.

	#Usage:
	# 1) Boot Ubuntu installation media
	# 2) Select "Try Ubuntu".
	# 3) Open Terminal.
	# 4) Change to root 'sudo su -' or 'sudo -i'.
	# 5) Download this script using 'wget' .
	# 6) Mark as executable: chmod +x installKubuntu.sh
	# 7) Run this script: ./installKubuntu.sh
	# 8) Enter the disk to install to: 'sda', 'nvme01'.
	# 9) Enter a password that will be used to unlock /boot and /.
	# 10) Switch to GUI: NotStartMenu->System->Install Kubuntu
	# 11) Select Language->Keyboard->Software->Disk (Manual)
	# 12) Select "/dev/mapper/LUKS_BOOT" (ext4) -> Change... Select the child entry that has a Size, not the parent.
	# 13) Use as: Ext4, Format: Yes, Mount Point: /boot -> OK
	# 14) Select "/dev/mapper/vgkubuntu-root" -> Change... Select the child entry that has a Size, not the parent.
	# 15) Use as: Ext4, Format: Yes, Mount Point: / -> OK
	# 16) Device for boot loader installation: select the disk used in #8; Select the parent entry (sda), not the children (sda1).
	# 17) Install Now->Continue->Select Timezone
	# 18) Select username, enter a password for the user x2 (required), computer name->Continue
	# 19) Wait for GUI install to say "Restart Now" or "Continue Testing".
	# 20) Back to CLI: Once installation is complete, press a single key on the keyboard and wait.
	# 21) Reboot the PC once the script says finished.
	# 22) To finish rebooting, remove the installation media and press Enter.


	############################################################################

	#check if root
	if [ $EUID == 0 ] ; then lsblk ; else echo This script must be run as root. && exit 1 ; fi

	#lsblk
	read -p "Enter raw device ID without /dev/ to install to, e.g. \"sda\": " DM
	export DEV=/dev/$DM
	export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
	export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )"

	#The export command does not work, so just use files instead.
	#echo DM=$DM > DM.txt
	#echo DEV=$DEV > DEV.txt
	#echo DEVP=$DEVP > DEVP.txt

	echo $DM > DM.txt
	echo $DEV > DEV.txt
	echo $DEVP > DEVP.txt

	echo -e "\nCurrent contents of $DEV:"
	sgdisk --print $DEV

	read -r -p "Press enter encryption password for volumes:" password
	echo $password > password.txt
	echo YES > YES.txt

	#recreate partitions
	#Yes, these are all really necessary. Removing any of them causes fatal errors.
	sgdisk --zap-all $DEV
	sgdisk --new=1:0:+2048M $DEV
	sgdisk --new=2:0:+2M $DEV
	sgdisk --new=3:0:+300M $DEV
	sgdisk --new=5:0:0 $DEV
	sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV
	sgdisk --change-name=1:boot --change-name=2:GRUB --change-name=3:EFI --change-name=5:rootfs $DEV
	sgdisk --hybrid 1:2:3 $DEV
	sgdisk --print $DEV

	#grub does not decrypt luks2 volumes properly
	cryptsetup luksFormat --type=luks1 ${DEVP}1 < YES.txt < password.txt
	cryptsetup luksFormat --type=luks2 ${DEVP}5 < YES.txt < password.txt

	cryptsetup open ${DEVP}1 LUKS_BOOT < password.txt
	cryptsetup open ${DEVP}5 ${DM}5_crypt < password.txt

	#format file systems
	mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
	mkfs.vfat -F 32 -n EFI ${DEVP}3

	flavour="$( sed -n 's/.cdrom:\[\([^ ]\).*/\1/p' /etc/apt/sources.list )"
	release="$( lsb_release -sr \| tr -d . )"
	if [ ${release} -ge 2204 ]; then VGNAME="vg${flavour,,}"; else VGNAME="${flavour}--vg"; fi
	export VGNAME

	pvcreate /dev/mapper/${DM}5_crypt
	vgcreate "${VGNAME}" /dev/mapper/${DM}5_crypt
	#lvcreate -L 4G -n swap_1 "${VGNAME}"
	lvcreate -l 100%FREE -n root "${VGNAME}"

	#read -n1 -r -p "Please set up user accounts. Press a key once account setup is complete in the GUI installer." key2
	echo -e "\n"
	echo Note: The installation should still be in progress. Waiting for install to complete...
	while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg
	#sleep 5

	read -n1 -r -p "Press a key to continue once installation is complete." key3
	echo -e "\n"

	#prepare chroot environment
	mount /dev/mapper/${VGNAME}-root /target
	for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done


	#prepare chroot script
	file=installKubuntu2204.temp.sh

	echo \#\!/bin/bash > $file
	echo -e "\n" >> $file

	echo mount -a >> $file
	echo -e "\n" >> $file

	echo \#read variable names again since export did not export them >> $file
	echo read -d \$\'\\x04\' DM \< DM.txt >> $file
	echo read -d \$\'\\x04\' DEV \< DEV.txt >> $file
	echo read -d \$\'\\x04\' DEVP \< DEVP.txt >> $file

	echo -e "\n" >> $file

	echo \#create keyfile >> $file
	echo echo \"KEYFILE_PATTERN=/etc/luks/*.keyfile\" \>\> /etc/cryptsetup-initramfs/conf-hook >> $file
	echo echo \"UMASK=0077\" \>\> /etc/initramfs-tools/initramfs.conf >> $file
	echo mkdir /etc/luks >> $file
	#512 bytes = 4096 bits; 2048 bytes = 16384 bits
	echo dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=2048 count=1 >> $file
	echo chmod u=rx,go-rwx /etc/luks >> $file
	echo chmod u=r,go-rwx /etc/luks/boot_os.keyfile >> $file

	echo -e "\n" >> $file

	echo cryptsetup luksAddKey \${DEVP}1 /etc/luks/boot_os.keyfile \< password.txt >> $file
	echo cryptsetup luksAddKey \${DEVP}5 /etc/luks/boot_os.keyfile \< password.txt >> $file
	echo echo \"LUKS_BOOT UUID=\$\(blkid -s UUID -o value \${DEVP}1\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file
	echo echo \"\${DM}5_crypt UUID=\$\(blkid -s UUID -o value \${DEVP}5\) /etc/luks/boot_os.keyfile luks,discard\" \>\> /etc/crypttab >> $file
	echo -e "\n" >> $file

	echo update-initramfs -u -k all >> $file
	echo -e "\n" >> $file

	echo rm password.txt >> $file
	echo rm DM.txt >> $file
	echo rm DEV.txt >> $file
	echo rm DEVP.txt >> $file
	echo rm $file >> $file
	echo -e "\n" >> $file

	echo echo Done. Please reboot. >> $file
	echo -e "\n" >> $file


	#copy resources to /target
	rm password.txt
	echo $password > /target/password.txt
	cp DM.txt /target/DM.txt
	cp DEV.txt /target/DEV.txt
	cp DEVP.txt /target/DEVP.txt
	cp ./installKubuntu2204.sh /target/installKubuntu2204.sh
	chmod +x $file
	cp ./$file /target/$file


	#chroot /target
	chroot /target /bin/bash $file