Skip to content

Instantly share code, notes, and snippets.

@ntrepid8

ntrepid8/ubuntu-2204-luks-btrfs.md

Last active December 17, 2023 08:26
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ntrepid8/74e839b8fa456c370f98734a6d34ff7b to your computer and use it in GitHub Desktop.
Save ntrepid8/74e839b8fa456c370f98734a6d34ff7b to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu 22.04 w/luks+btrfs
Raw
ubuntu-2204-luks-btrfs.md

Ubuntu 22.04 w/luks+btrfs

Notes on installing Ubuntu 22.04 with luks encryption and btrfs.

Based on:

Post Install

chroot

# mount -o subvol=@,ssd,noatime,commit=120,compress=zstd /dev/mapper/nvme0n1p3_crypt /mnt

# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -B $i /mnt$i; done

# chroot /mnt

Mount everything:

root@ubuntu:/# mount -av
/                        : ignored
/boot/efi                : successfully mounted
/home                    : successfully mounted
none                     : ignored

Verify btrfs subvolumes:

root@ubuntu:/# btrfs subvolume list /
# ID 256 gen 32 top level 5 path @
# ID 257 gen 14 top level 5 path @home

Install EFI bootloader

root@ubuntu:/# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub

root@ubuntu:/# apt install -y --reinstall \
grub-efi-amd64-signed \
linux-generic \
linux-headers-generic \
linux-generic-hwe-22.04 \
linux-headers-generic-hwe-22.04

root@ubuntu:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-5.15.0-43-generic
update-initramfs: Generating /boot/initrd.img-5.15.0-47-generic

root@ubuntu:/# grub-install /dev/nvme0n1
Installing for x86_64-efi platform.
Installation finished. No error reported.

root@ubuntu:/# update-grub
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.15.0-47-generic
Found initrd image: /boot/initrd.img-5.15.0-47-generic
Found linux image: /boot/vmlinuz-5.15.0-43-generic
Found initrd image: /boot/initrd.img-5.15.0-43-generic
Adding boot menu entry for UEFI Firmware Settings
done

Double-check permissions and keyfile:

root@ubuntu:/# stat -L -c "%A  %n" /boot/initrd.img
-rw-------  /boot/initrd.img

root@ubuntu:/# lsinitramfs /boot/initrd.img | grep "^cryptroot/keyfiles/"
cryptroot/keyfiles/nvme01p3_crypt.key

Reboot

Exit the chroot and reboot:

root@ubuntu:/# exit

root@ubuntu:~# reboot now

You will be prompted to remove the live USB stick then if everything worked you will see this:

Enter the passphrase for hd0,gpt3 (some very long number):

Enter the passphrase to unlock grub and then select "ubuntu" from the grub menu.

Final config files

/etc/crypttab

nvme0n1p3_crypt UUID=8e893c0f-4060-49e3-9d96-db6dce7466dc /etc/luks/boot_os.keyfile luks,discard
swap_crypt UUID=9cae34c0-3755-43b1-ac05-2173924fd433 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64,size=512

/etc/fstab

/dev/mapper/nvme0n1p3_crypt /         btrfs defaults,subvol=@,ssd,noatime,commit=120,compress=zstd:1,discard=async 0 0
UUID=D516-20D8              /boot/efi vfat  umask=0077 0 1
/dev/mapper/nvme0n1p3_crypt /home     btrfs defaults,subvol=@home,ssd,noatime,commit=120,compress=zstd:1,discard=async 0 0
/dev/mapper/swap_crypt      none      swap  sw 0 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment