Skip to content

Instantly share code, notes, and snippets.

@paulrossman

paulrossman/encrypted_dual_boot_xps_17.md

Forked from ourownstory/encrypted_dual_boot_xps_17.md
Created July 24, 2022 23:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paulrossman/4b9ca127c87f4eece4c9798b8498da7b to your computer and use it in GitHub Desktop.
Save paulrossman/4b9ca127c87f4eece4c9798b8498da7b to your computer and use it in GitHub Desktop.
Download ZIP
Encrypted dual boot setup for Pop!_OS and Windows 10 using LUKS and Bitlocker on Dell XPS 17 9700
Raw
encrypted_dual_boot_xps_17.md

Encrypted dual boot setup with Pop!_OS and Windows 10

How to guide, using LUKS and Bitlocker on Dell XPS 17 9700

This guide is for those who want to use their XPS 17 in dual boot with their (preinstalled) Windows 10 and a new Pop!_OS installation, without giving up Bitlocker Encryption in Windows nor LUKS encryption in Linux.

The only guides that I could find were for Ubuntu, which it should be identical to, but I found the ommission of a few steps to resolve issues that I encountered in my first install attempt. Hoping to save you some trouble, I am sharing the steps that worked for me, linking the original guides that I found useful.

1. Preparation

  • 1.1 Of course: Backup all your data! You always do this when people tell you to, right? Maybe this time better be safe than sorry.

  • 1.2 Safely note your Bitlocker recovery key somewhere off your XPS. Where to find it

  • 1.3 Prepare your installation medium. You can use Etcher on Windows to create a USB stick with POP!_OS

  • 1.4 SATA operation mode: Change your SSD's SATA operation mode from RAID to AHCI in your BIOS (WAIT, finish reading the next two senctences first). Dell ships the XPS' SSD in RAID, but Ubuntu won't be able to work with it. By default, your preinstalled Windows does not work in AHCI with the Dell provided Drivers, so you can not just change it in the BIOS. To get it to work without re-installing Windows, you have to do this simple but effective trick to change the SATA Operation mode: follow the steps for Option 2

  • 1.5 Disable Secure Boot: You can simply disable it in your BIOS. If you're hesitating: It's a proprietary piece of code that's not all that important for security. Most Linux distributions refuse to get listed as "Secure" due to philosophical differences. The only downside is: You may have to enter the long recovery key to acess your Windows partition again. Don't worry, the screen looks bad, but you just have to enter it once and nothing is lost.

2. Install Pop!_OS

  • 2.1 Boot from your USB medium, by hitting F12 on startup and then selecting it.

  • 2.2 select your language and keyboard, But stop before installing it. Select "Try Demo Mode" instead.

  • 2.3 Set up two partitions, one for /boot and another one that we will encrypt and then use for root and swap. You can either follow the sgdisk instructions on the terminal (first half of Phase 3) or do the same on the visual Gparted tool. Either way, I recommend also reading the corresponding sections on the original thread on askubuntu and the instructions for XPS 15 9560 on github. You may skip the /home partition.

    Using sgdisk:

    sudo sgdisk -n=8:0:+768M /dev/nvme0n1
sudo sgdisk -n=9:0:0 /dev/nvme0n1
sudo sgdisk -c=8:/boot -c=9:rootfs /dev/nvme0n1
sudo sgdisk -t=8:8300 -t=9:8300 /dev/nvme0n1
sudo mkfs.ext4 -L boot /dev/nvme0n1p8

  • 2.4 Setup LUKS:

$ sudo cryptsetup luksFormat --type=luks1 /dev/nvme0n1p9
WARNING!
========
This will overwrite data on /dev/nvme0n1p9 irrevocably.
   
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/nvme0n1p9: 
Verify passphrase: 
   
$ sudo cryptsetup open /dev/nvme0n1p9 pop_crypt
Enter passphrase for /dev/nvme0n1p9: 
   
$ ls /dev/mapper/
control pop_crypt
  • 2.5 Configure LVM on the ecrypted partition. Create at least as much swap space as you have RAM, and assign the rest to root.
$ sudo pvcreate /dev/mapper/pop_crypt
Physical volume "/dev/mapper/pop_crypt" successfully created.
$ sudo vgcreate pop-vg /dev/mapper/pop_crypt
Volume group "pop-vg" successfully created
$ sudo lvcreate -L 32G -n swap_1 pop-vg
Logical volume "swap_1" created.
$ sudo lvcreate -l 100%FREE -n root pop-vg
Logical volume "root" created.

  • 2.6 NOT exiting the live demo, install Pop!_OS by running the installer from the sidebar, and choose "Something else" to configure partitions yourself.

    map the small boot partition (in my case nvme0n1p8) as ext4 to /boot)

    unlock the encrypted partition (in my case nvme0n1p9)

    map our encrypted logical volume /dev/mapper/pop--vg-root as ext4 with to /

    map our encrypted logical volume /dev/mapper/pop--vg-swap_1 as swap

  • 2.7 Skip the remaining instructions of the guides!*

    * When I followed the instructions in my first attempt, the encrypted swap was not properly set up, and booting took close to two minutes. Trying to fix it, it would not boot at all anymore, so I went for a clean reinstallation, and this time decided to skip the remaining step, which worked flawlessly. I assume that Pop!_OS may have it's automatic mechanism to correctly configure encrypted root and swap, so doing it manually may interfere with it.

  • 2.8 Reboot into your Pop!_OS

  • 2.9 Check that you are using the encryped partition for / by running mount:

$ mount | grep root
/dev/mapper/pop--vg-root on / type ext4 (rw,noatime,errors=remount-ro)
  • 2.10 Check that you are using the ecrypted swap partition:
$ swapon -s
Filename     Type       Size        Used    Priority
/dev/dm-1    partition  33554428	0	    -2

Note: you can use lsblk or sudo dmsetup info /dev/dm-1 to check what the dm-1 partition is (part of the device mapper in the kernel, used by LVM).

3. Post Setup

3.1 Boot

Bad solution

Sadly, Grub and Bitlocker don't play nice together, so you the basic solution is to select one OS as your default (set it as first in boot order in BIOS). To boot into the other OS, you have to hit F12 during startup and then select it.

Proper Solution

I sucessfully fixed this with the excellent rEFInd tool. After setting it up, it works like a charm, even with custom kernels. All you need to do is to run this in your terminal:

sudo apt-add-repository ppa:rodsmith/refind
sudo apt update
sudo apt install refind

3.2 Drivers for Audio, Microphone, Fingerprint

UPDATE: With PopOS! 21.04, the audio works out of the box. (I did not try the fingerprint scanner.) You can skip this section now.

This reddit user posted a complete set of instructions that worked well for me. Only thing I had to do additionally: Install dependency package libfprint-2-tod1 with sudo apt-get install libfprint-2-tod1 before installing the fingerprint driver (Step 8).

EDIT: these fixes stopped working after updates (on POP_OS! 20.10). 21.04 should include audio support in the mainline kernel.

4. Bonus

4.1 Access a Bitlocker data partition from Linux

TBD

4.2 Fix your clock:

From System76:

Windows and Linux store their time in the BIOS differently, this will cause your clock to be desynchronized when you switch from one OS to the other.

The easiest solution for it is to fix it in Linux, forcing it to work the same way as Windows. You can do this through the terminal: timedatectl set-local-rtc 1 --adjust-system-clock

You can verify if the change has been successful, by running this command:

timedatectl

You should see RTC in local TZ: yes. If you need to revert it, just set it to 0:

timedatectl set-local-rtc 0 --adjust-system-clock

Notes

Guides for encrypted Ubuntu and Windows dual boot that I found helpful:

Keys:

  • Hit F2 on startup to enter the BIOS
  • Hit F12 on startup to select your boot medium
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment