ubuntu_18_usb

Ubuntu 18 Bionic Beaver LTS on removable SSD

Ubuntu 18 Bionic Beaver LTS on removable SSD

With Secure Boot and rootfs LUKS encryption

Notes:

Was not able to install /boot on the encrypted partition. The signed grub loader doesn't seem to have all required modules signed. So I've installed /boot onto the ESP partition.

Install required packages

Install debootstrap:
```
apt install debootstrap
```

Perpare SSD

First unmount (auto)mounted partitions.

Partition the SSD. Start at sector 65535, for correct alignment of my SSD drive. Create a 512MiB UEFI ESP and 32GiB partition for Ubuntu.

parted --script /dev/sdX              \
    mklabel gpt                       \
    mkpart ESP fat32 65535s 1114095s  \
    toggle 1 boot                     \
    mkpart Ubuntu 1179630s 68287470s

Format the ESP:
```
mkfs.fat -F32 -n ESP /dev/sdX1
```

Create an encrypted partiton for Ubuntu:

cryptsetup luksFormat /dev/sdX2
cryptsetup open /dev/sdX2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot

Install Ubuntu 18 Bionic Beaver LTS

Mount root partition:
```
mount /dev/mapper/cryptroot /mnt
```

Mount ESP as /boot:

mkdir -p /mnt/boot
mount /dev/sdX1 /mnt/boot

Install Ubuntu.

debootstrap --arch amd64 bionic /mnt http://mirror.transip.net/ubuntu/ubuntu

Enter chroot:

mount -t proc none /mnt/proc
mount -t sysfs none /mnt/sys
mount -o bind /dev /mnt/dev
cp -L /etc/resolv.conf /mnt/etc

XTERM=xterm-color LANG=en_US.UTF-8 PATH="$PATH:/bin:/sbin:/usr/sbin" chroot /mnt bash
export PS1="\e[0;31m\u@CHROOT:\w# \e[m"

Create new user:

useradd -d /home/user -G sudo -m -s /bin/bash user
passwd user

Configure locales and timezone:
```
dpkg-reconfigure locales tzdata
```

Add root and boot filesystem to /etc/fstab:

# Lookup UUID's:
#     blkid /dev/sdb1    # ESP
#     lsblk -f /dev/sdb2    # run from outside chroot, this is the UUID of the / ext4 partition, not LUKS!

/etc/fstab
UUID=<UUID root filesystem> /               ext4    errors=remount-ro 0       1
UUID=<UUID ESP>             /boot           vfat    defaults          0       2

Update apt repository sources:

cat > /etc/apt/sources.list <<EOF
deb http://nl.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://nl.archive.ubuntu.com/ubuntu/ bionic universe
deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://nl.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://nl.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
EOF

Update packages:
```
apt update
apt upgrade
```

Install required packages. Don't select a disk to install grub onto! Continue without installing grub.

apt install linux-image-generic efibootmgr grub-efi-amd64-signed cryptsetup initramfs-tools shim-signed

Configure crypttab:

# Lookup UUID with blkid
#    blkid /dev/sdb2

echo "cryptroot UUID=<UUID> none luks" >> /etc/crypttab

Configure grub:

cat >> /etc/default/grub <<EOF
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=true
EOF

Configure initramfs:

sed -i '/^#CRYPTSETUP=/c\CRYPTSETUP=y' /etc/cryptsetup-initramfs/conf-hook

echo RESUME=none > /etc/initramfs-tools/conf.d/resume

update-initramfs -k all -u

Install and configure grub:

grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot --recheck --no-nvram

update-grub

Install the default desktop:
```
apt install ubuntu-desktop
```

Exit the chroot and test your new installation:

exit
cd
umount /mnt/boot
umount /mnt/proc
umount /mnt/sys
umount /mnt/dev
umount /mnt
cryptsetup close /dev/mapper/cryptroot

[hardware, Ubuntu, linux, ssd]

Table of Contents

Ubuntu 18 Bionic Beaver LTS on removable SSD

Install required packages

Perpare SSD

Install Ubuntu 18 Bionic Beaver LTS