ubuntu_18_usb_ssd
Table of Contents
Ubuntu 18 Bionic Beaver LTS on removable SSD
With Secure Boot and rootfs LUKS encryption
Notes:
- Was not able to install /boot on the encrypted partition. The signed grub loader doesn't seem to have all required modules signed. So I've installed /boot onto the ESP partition.
Install required packages
- Install debootstrap:
apt install debootstrap
Perpare SSD
- First unmount (auto)mounted partitions.
- Partition the SSD. Start at sector 65535, for correct alignment of my SSD drive. Create a 512MiB UEFI ESP and 32GiB partition for Ubuntu.
parted --script /dev/sdX \ mklabel gpt \ mkpart ESP fat32 65535s 1114095s \ toggle 1 boot \ mkpart Ubuntu 1179630s 68287470s
- Format the ESP:
mkfs.fat -F32 -n ESP /dev/sdX1
- Create an encrypted partiton for Ubuntu:
cryptsetup luksFormat /dev/sdX2 cryptsetup open /dev/sdX2 cryptroot mkfs.ext4 /dev/mapper/cryptroot
Install Ubuntu 18 Bionic Beaver LTS
- Mount root partition:
mount /dev/mapper/cryptroot /mnt
- Mount ESP as /boot:
mkdir -p /mnt/boot mount /dev/sdX1 /mnt/boot
- Install Ubuntu.
debootstrap --arch amd64 bionic /mnt http://mirror.transip.net/ubuntu/ubuntu
- Enter chroot:
mount -t proc none /mnt/proc mount -t sysfs none /mnt/sys mount -o bind /dev /mnt/dev cp -L /etc/resolv.conf /mnt/etc XTERM=xterm-color LANG=en_US.UTF-8 PATH="$PATH:/bin:/sbin:/usr/sbin" chroot /mnt bash export PS1="\e[0;31m\u@CHROOT:\w# \e[m"
- Create new user:
useradd -d /home/user -G sudo -m -s /bin/bash user passwd user
- Configure locales and timezone:
dpkg-reconfigure locales tzdata
- Add root and boot filesystem to /etc/fstab:
# Lookup UUID's: # blkid /dev/sdb1 # ESP # lsblk -f /dev/sdb2 # run from outside chroot, this is the UUID of the / ext4 partition, not LUKS! /etc/fstab UUID=<UUID root filesystem> / ext4 errors=remount-ro 0 1 UUID=<UUID ESP> /boot vfat defaults 0 2
- Update apt repository sources:
cat > /etc/apt/sources.list <<EOF deb http://nl.archive.ubuntu.com/ubuntu/ bionic main restricted deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates main restricted deb http://nl.archive.ubuntu.com/ubuntu/ bionic universe deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates universe deb http://nl.archive.ubuntu.com/ubuntu/ bionic multiverse deb http://nl.archive.ubuntu.com/ubuntu/ bionic-updates multiverse deb http://nl.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu bionic-security main restricted deb http://security.ubuntu.com/ubuntu bionic-security universe deb http://security.ubuntu.com/ubuntu bionic-security multiverse EOF
- Update packages:
apt update apt upgrade
- Install required packages. Don't select a disk to install grub onto! Continue without installing grub.
apt install linux-image-generic efibootmgr grub-efi-amd64-signed cryptsetup initramfs-tools shim-signed
- Configure crypttab:
# Lookup UUID with blkid # blkid /dev/sdb2 echo "cryptroot UUID=<UUID> none luks" >> /etc/crypttab
- Configure grub:
cat >> /etc/default/grub <<EOF GRUB_ENABLE_CRYPTODISK=y GRUB_DISABLE_OS_PROBER=true EOF
- Configure initramfs:
sed -i '/^#CRYPTSETUP=/c\CRYPTSETUP=y' /etc/cryptsetup-initramfs/conf-hook echo RESUME=none > /etc/initramfs-tools/conf.d/resume update-initramfs -k all -u
- Install and configure grub:
grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot --recheck --no-nvram update-grub
- Install the default desktop:
apt install ubuntu-desktop
- Exit the chroot and test your new installation:
exit cd umount /mnt/boot umount /mnt/proc umount /mnt/sys umount /mnt/dev umount /mnt cryptsetup close /dev/mapper/cryptroot
ubuntu_18_usb_ssd.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1