With Secure Boot and rootfs LUKS encryption
Notes:
apt install debootstrap
parted --script /dev/sdX \ mklabel gpt \ mkpart ESP fat32 65535s 1114095s \ toggle 1 boot \ mkpart Ubuntu 1179630s 68287470s
mkfs.fat -F32 -n ESP /dev/sdX1
cryptsetup luksFormat /dev/sdX2 cryptsetup open /dev/sdX2 cryptroot mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot mount /dev/sdX1 /mnt/boot
debootstrap --arch amd64 bionic /mnt http://mirror.transip.net/ubuntu/ubuntu
mount -t proc none /mnt/proc mount -t sysfs none /mnt/sys mount -o bind /dev /mnt/dev cp -L /etc/resolv.conf /mnt/etc XTERM=xterm-color LANG=en_US.UTF-8 PATH="$PATH:/bin:/sbin:/usr/sbin" chroot /mnt bash export PS1="\e[0;31m\u@CHROOT:\w# \e[m"
useradd -d /home/user -G sudo -m -s /bin/bash user passwd user
dpkg-reconfigure locales tzdata
# Lookup UUID's: # blkid /dev/sdb1 # ESP # lsblk -f /dev/sdb2 # run from outside chroot, this is the UUID of the / ext4 partition, not LUKS! /etc/fstab UUID=<UUID root filesystem> / ext4 errors=remount-ro 0 1 UUID=<UUID ESP> /boot vfat defaults 0 2
cat > /etc/apt/sources.list <<EOF deb http://nl.archive.ubuntu.com/ubuntu/ bionic main restricted deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates main restricted deb http://nl.archive.ubuntu.com/ubuntu/ bionic universe deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates universe deb http://nl.archive.ubuntu.com/ubuntu/ bionic multiverse deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates multiverse deb http://nl.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu bionic-security main restricted deb http://security.ubuntu.com/ubuntu bionic-security universe deb http://security.ubuntu.com/ubuntu bionic-security multiverse EOF
apt update apt upgrade
apt install linux-image-generic efibootmgr grub-efi-amd64-signed cryptsetup initramfs-tools shim-signed
# Lookup UUID with blkid # blkid /dev/sdb2 echo "cryptroot UUID=<UUID> none luks" >> /etc/crypttab
cat >> /etc/default/grub <<EOF GRUB_ENABLE_CRYPTODISK=y GRUB_DISABLE_OS_PROBER=true EOF
sed -i '/^#CRYPTSETUP=/c\CRYPTSETUP=y' /etc/cryptsetup-initramfs/conf-hook echo RESUME=none > /etc/initramfs-tools/conf.d/resume update-initramfs -k all -u
grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot --recheck --no-nvram update-grub
apt install ubuntu-desktop
exit cd umount /mnt/boot umount /mnt/proc umount /mnt/sys umount /mnt/dev umount /mnt cryptsetup close /dev/mapper/cryptroot