Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


Ubuntu 18 Bionic Beaver LTS on removable SSD

With Secure Boot and rootfs LUKS encryption


  • Was not able to install /boot on the encrypted partition. The signed grub loader doesn't seem to have all required modules signed. So I've installed /boot onto the ESP partition.

Install required packages

  • Install debootstrap:
    apt install debootstrap

Perpare SSD

  • First unmount (auto)mounted partitions.
  • Partition the SSD. Start at sector 65535, for correct alignment of my SSD drive. Create a 512MiB UEFI ESP and 32GiB partition for Ubuntu.
    parted --script /dev/sdX              \
        mklabel gpt                       \
        mkpart ESP fat32 65535s 1114095s  \
        toggle 1 boot                     \
        mkpart Ubuntu 1179630s 68287470s
  • Format the ESP:
    mkfs.fat -F32 -n ESP /dev/sdX1
  • Create an encrypted partiton for Ubuntu:
    cryptsetup luksFormat /dev/sdX2
    cryptsetup open /dev/sdX2 cryptroot
    mkfs.ext4 /dev/mapper/cryptroot

Install Ubuntu 18 Bionic Beaver LTS

  • Mount root partition:
    mount /dev/mapper/cryptroot /mnt
  • Mount ESP as /boot:
    mkdir -p /mnt/boot
    mount /dev/sdX1 /mnt/boot
  • Install Ubuntu.
    debootstrap --arch amd64 bionic /mnt
  • Enter chroot:
    mount -t proc none /mnt/proc
    mount -t sysfs none /mnt/sys
    mount -o bind /dev /mnt/dev
    cp -L /etc/resolv.conf /mnt/etc
    XTERM=xterm-color LANG=en_US.UTF-8 PATH="$PATH:/bin:/sbin:/usr/sbin" chroot /mnt bash
    export PS1="\e[0;31m\u@CHROOT:\w# \e[m"
  • Create new user:
    useradd -d /home/user -G sudo -m -s /bin/bash user
    passwd user
  • Configure locales and timezone:
    dpkg-reconfigure locales tzdata
  • Add root and boot filesystem to /etc/fstab:
    # Lookup UUID's:
    #     blkid /dev/sdb1    # ESP
    #     lsblk -f /dev/sdb2    # run from outside chroot, this is the UUID of the / ext4 partition, not LUKS!
    UUID=<UUID root filesystem> /               ext4    errors=remount-ro 0       1
    UUID=<UUID ESP>             /boot           vfat    defaults          0       2
  • Update apt repository sources:
    cat > /etc/apt/sources.list <<EOF
    deb bionic main restricted
    deb bionic-updates main restricted
    deb bionic universe
    deb bionic-updates universe
    deb bionic multiverse
    deb bionic-updates multiverse
    deb bionic-backports main restricted universe multiverse
    deb bionic-security main restricted
    deb bionic-security universe
    deb bionic-security multiverse
  • Update packages:
    apt update
    apt upgrade
  • Install required packages. Don't select a disk to install grub onto! Continue without installing grub.
    apt install linux-image-generic efibootmgr grub-efi-amd64-signed cryptsetup initramfs-tools shim-signed
  • Configure crypttab:
    # Lookup UUID with blkid
    #    blkid /dev/sdb2
    echo "cryptroot UUID=<UUID> none luks" >> /etc/crypttab
  • Configure grub:
    cat >> /etc/default/grub <<EOF
  • Configure initramfs:
    sed -i '/^#CRYPTSETUP=/c\CRYPTSETUP=y' /etc/cryptsetup-initramfs/conf-hook
    echo RESUME=none > /etc/initramfs-tools/conf.d/resume
    update-initramfs -k all -u
  • Install and configure grub:
    grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot --recheck --no-nvram
  • Install the default desktop:
    apt install ubuntu-desktop
  • Exit the chroot and test your new installation:
    umount /mnt/boot
    umount /mnt/proc
    umount /mnt/sys
    umount /mnt/dev
    umount /mnt
    cryptsetup close /dev/mapper/cryptroot
ubuntu_18_usb_ssd.txt · Last modified: 2021/10/09 15:14 by