Abstract:
- Have 2 (Ubuntu-flavored) Linux, separate on different partitions.
- One of them LUKS encrypted
- Install on EFI (=using the EFI System Partition (ESP), too)
- The /home folder is on a different physical disk.
- Also LUKS encrypted
- But: /boot is cleartext (*)
Steps:
- Boot a live-distro Xubuntu installer image
- Manually partition your disks as desired: separate boot, root, home.
- Consider and handle ESP
- Init LUKS encryption + open /dev/mapper entries
- Run the GUI installer
- Partitions: Select "something else".
- Assign boot, root, home and ESP to their (virtual)partitions.
- Install GRUB2
- Finish GUI installation
- chroot to installation target:
- edit crypttab
- edit /etc/default/grub (re-enable OS-Prober)
- update-initramfs && grub-install
- Cross fingers...
- Reboot.
In my case, I've used both: 20.04 and 22.04 - as I'll be installing these 2 versions alongside each other.
Disk layout:
Code: Select all
# Additional SSD:
/dev/sda1 /home (LUKS2)
# Built-in M2 SSD chip:
/dev/sdb1 EFI System Partition (ESP)
/dev/sdb2 /boot
/dev/sdb3 System1
/dev/sdb4 System2 (LUKS2)
I've installed 22.04 first. On a regular unencrypted partition. A basic "next-next-finalize-reboot" installation.
All into /dev/sdb3.
STEP 2: Reboot into the new "System1" installation
It's just way more comfortable than try-and-error-reboot-loops with a live-distro (that always defaults to the wrong keyboard layout
).
STEP 3: Create the desired LUKS disk/partition layout
Code: Select all
$ sudo -i
# System (root):
cryptsetup luksFormat /dev/sdb4
cryptsetup luksOpen /dev/sdb4 my_sys
# Home storage:
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 my_home
# Format them to ext4:
# (the /dev/mapper entries appear if the previous luksOpen were successful)
mkfs.ext4 -L my_sys /dev/mapper/my_sys
mkfs.ext4 -L my_home /dev/mapper/my_home
STEP 4: Boot into the next Xubuntu live-installer (20.04)
* Run the GUI installer.
* Select "something else".
* Select and assign the partitions as follows:
/dev/sdb1 ESP (the installer should already have auto-detected the ESP, but better check here)
/dev/sdb2 /boot
/dev/mapper/my_sys /
/dev/mapper/my_home /home
ESP flags: [x] EFI System, [x] boot
Install GRUB onto the main storage (=M2 on that HP ProBook 470g6): /dev/sdb
* Let the installation finish. Close the installer.
* Continue the live-session. Open a Terminal
STEP 5: Chroot to installation target and patch some things
Many thanks to Steps 8+ from this HowTo on AskUbuntu!
Without rebooting, you've opened a terminal.
Find the UUID of the LUKS partitions you will need it later:
Code: Select all
sudo blkid /dev/sdb*
sudo blkid /dev/sda1Setup the target chroot:/dev/sda1: UUID="3353fb5c-5a8e-499d-9962-87a81164f43e" TYPE="crypto_LUKS"
Code: Select all
sudo mount /dev/mapper/my_sys /mnt
sudo mount /dev/sdb2 /mnt/boot
sudo mount /dev/sdb1 /mnt/boot/efi
sudo mount /dev/mapper/my_home /mnt/home
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts
STEP 6: Create a proper /etc/crypttab
Create a file called "/etc/crypttab" containing each LUKS volume per line:
Code: Select all
# <target name> <source device> <key file> <options>
my_sys UUID=3353fb5c-5a8e-499d-9962-87a81164f43e none luks
my_home UUID=04e36e97-5d33-465e-9ce0-32bf5ac6f4ad none luke
STEP 7: Update the boot image and GRUB entries
Yes, we're still in the live-session after the install has finished (before rebooting).
In the target chroot, do the following:
Edit /etc/default/grub, in order to:
1) re-enable the "OS prober" (which we require for detecting the previously installed "System1 (Xubuntu 22.04)"
2) change grub timeout and menu
Code: Select all
GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=menu
GRUB_TIMEOUT=7
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="splash"
GRUB_CMDLINE_LINUX=""
GRUB_DISABLE_OS_PROBER=false
Now, update the initramfs and have OS-prober find the System1 partition and automatically add it to "our" currently generated /boot/grub/grub.cfg
Code: Select all
$ update-initramfs -k all -cCode: Select all
$ update-grubSince our grub.cfg now contains the probed System1, **our** GRUB menu offers to boot System1.
STEP 8: Reboot && Celebrate!
You should now be greeted by a nice familiar grub menu
Offering "Ubuntu" (LUKS) and "Ubuntu 22.04" (regular) boot options.
When choosing "Ubuntu" you should shortly after be required to enter the passphrases for my_sys and my_home.
And when choosing "Ubuntu 22.04" - you'll boot the 1st installation (System1). As expected.
Tataaaaaaa!
-------
(*) Optional-Way-Too-Detailed-Nerd-Rant:
*phew* --- Trying to have a LUKS1 encrypted /boot just took me 3 days now to understand, fail - and then re-install from scratch.
Something I've kinda already set up 2 years ago on another machine. Running smoothly.
Well, kinda-similar:
The previous setup had all partitions (boot, esp, /, home, etc) on the same drive.
This setup has /home on a separate physical disk.
Seems to have become less common to do dualboot with multiple GNU/Linux distributions.
Oh, btw: If only the installer would offer this existing option for different partition assignments?
References:
* BIG thanks to User Flimm's howto-reply on AskUbuntu
* https://help.ubuntu.com/community/Full_ ... Howto_2019