Skip to content

Instantly share code, notes, and snippets.

@smola

smola/README.md

Last active June 26, 2020 11:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save smola/cc5ff37e482114d0f309260bb09c49a5 to your computer and use it in GitHub Desktop.
Save smola/cc5ff37e482114d0f309260bb09c49a5 to your computer and use it in GitHub Desktop.
Download ZIP
Quick notes on installing Ubuntu with LUKS+LVM2
Raw
README.md

Quick notes on installing Ubuntu with LUKS+LVM2

These are just some quick notes about installing Ubuntu to an encrypted partition (LUKS) with LVM2 on top of it. The installer GUI has an advanced option to do this, but it is only available if you select the Erase disk and install Ubuntu option. I wanted to use this setup while preserving dual boot with Windows.

You should probably follow the following guide, instead of my instructions: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

TODO

  • Encrypt /boot partition (see the linked guide above).
  • Fix Windows boot loader, removed from GRUB after last update-grub.

System

This was tested with:

  • Ubuntu 20.04 (Focal Fossa) on a Dell XPS 15.
  • UEFI enabled
  • Secure Boot enabled initially, disabled after shrinking Windows partition.

Shrink Windows partition

  1. Boot to Windows.
  2. Disable BitLocker on C: device.
  3. Shrink C: device.

Install Ubuntu

Prepare LUKS and LVM2

  1. Boot with Ubuntu Live CD (Desktop).
  2. Choose Try Ubuntu.
  3. Create 2 partitions:
  4. One for /boot (e.g. 1G), you can encrypt it with LUKS but it needs to use --type=luks1 for this one!.
  5. One for the encrypted root.
  6. Go to a terminal:
  7. Identify your target partition (use lsblk for this), mine is /dev/nvme0n1p8.
  8. Create the LUKS volume: cryptsetup luksFormat --type=luks2 /dev/nvme0n1p8. This will prompt for setting the passphrase.
  9. Open the LUKS volume: cryptsetup open /dev/nvme0n1p8 cryptroot
  10. Create the LVM2 physical volume: pvcreate /dev/mapper/cryptroot
  11. Create the LVM2 volume group: vgcreate ubuntu-vg /dev/mapper/cryptroot
  12. Create the LVM2 logical volumes, for example: - lvcreate -L 32G -n swap ubuntu-vg - lvcreate -L 40G -n root ubuntu-vg - lvcreate -L 20G -n docker ubuntu-vg - lvcreate -L 100G -n home ubuntu-vg

Install

  1. Open the installer.
  2. On Installation type, select Something else.
  3. Assign the LVM logical volumes to their mount points. Do not forget the /boot and swap partitions.
  4. Continue as usual, when the installation finished, do not reboot, select Continue testing.
  5. Chroot into the installed system:
# Get LUKS UUID
blkid | grep LUKS

# chroot
mount /dev/ubuntu-vg/root /mnt
mount /dev/ubuntu-vg/home /mnt/home
# ...
mount /dev/nvme0n1p7 /boot
mount /dev/nvme0n1p1 /boot/efi
mount -o bind /dev /mnt/dev
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /run/lvm /mnt/run/lvm

echo "cryptroot UUID=<UUID here...> none luks,discard" >> /dev/crypttab
update-initramfs -k all -c
update-grub

And now reboot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment