Page 1 of 1

Dual-boot with 2 Xubuntu versions - one LUKS encrypted

Posted: Mon Jan 02, 2023 1:21 am
by ^rooker
Purpose of this HowTo:

Abstract:
  • Have 2 (Ubuntu-flavored) Linux, separate on different partitions.
  • One of them LUKS encrypted
  • Install on EFI (=using the EFI System Partition (ESP), too)
  • The /home folder is on a different physical disk.
  • Also LUKS encrypted
  • But: /boot is cleartext (*)

Steps:
  1. Boot a live-distro Xubuntu installer image
  2. Manually partition your disks as desired: separate boot, root, home.
  3. Consider and handle ESP
  4. Init LUKS encryption + open /dev/mapper entries
  5. Run the GUI installer
  6. Partitions: Select "something else".
  7. Assign boot, root, home and ESP to their (virtual)partitions.
  8. Install GRUB2
  9. Finish GUI installation
  10. chroot to installation target:
  11. edit crypttab
  12. edit /etc/default/grub (re-enable OS-Prober)
  13. update-initramfs && grub-install
  14. Cross fingers...
  15. Reboot.
STEP 1: Boot a live-distro installer and install the 1st system
In my case, I've used both: 20.04 and 22.04 - as I'll be installing these 2 versions alongside each other.

Disk layout:

Code: Select all

# Additional SSD:
/dev/sda1	/home	(LUKS2)

# Built-in M2 SSD chip:
/dev/sdb1	EFI System Partition (ESP)
/dev/sdb2	/boot
/dev/sdb3	System1
/dev/sdb4	System2	(LUKS2)
Should be simple, right? :wink:

I've installed 22.04 first. On a regular unencrypted partition. A basic "next-next-finalize-reboot" installation.
All into /dev/sdb3.

STEP 2: Reboot into the new "System1" installation
It's just way more comfortable than try-and-error-reboot-loops with a live-distro (that always defaults to the wrong keyboard layout :evil:).
:roll:

STEP 3: Create the desired LUKS disk/partition layout

Code: Select all

$ sudo -i

# System (root):
cryptsetup luksFormat /dev/sdb4
cryptsetup luksOpen /dev/sdb4 my_sys

# Home storage:
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 my_home

# Format them to ext4:
# (the /dev/mapper entries appear if the previous luksOpen were successful)
mkfs.ext4 -L my_sys /dev/mapper/my_sys
mkfs.ext4 -L my_home /dev/mapper/my_home
#TODO: <- Set label and allow-discards (for SSD) on luks paritions, and infos about luks config options.


STEP 4: Boot into the next Xubuntu live-installer (20.04)

* Run the GUI installer.
* Select "something else".

* Select and assign the partitions as follows:

/dev/sdb1 ESP (the installer should already have auto-detected the ESP, but better check here)
/dev/sdb2 /boot
/dev/mapper/my_sys /
/dev/mapper/my_home /home

ESP flags: [x] EFI System, [x] boot
Install GRUB onto the main storage (=M2 on that HP ProBook 470g6): /dev/sdb

* Let the installation finish. Close the installer.
* Continue the live-session. Open a Terminal


STEP 5: Chroot to installation target and patch some things

Many thanks to Steps 8+ from this HowTo on AskUbuntu!
Without rebooting, you've opened a terminal.

Find the UUID of the LUKS partitions you will need it later:

Code: Select all

sudo blkid /dev/sdb*
sudo blkid /dev/sda1
Output looks something like this:
/dev/sda1: UUID="3353fb5c-5a8e-499d-9962-87a81164f43e" TYPE="crypto_LUKS"
Setup the target chroot:

Code: Select all

sudo mount /dev/mapper/my_sys /mnt
sudo mount /dev/sdb2 /mnt/boot
sudo mount /dev/sdb1 /mnt/boot/efi
sudo mount /dev/mapper/my_home /mnt/home
sudo mount --bind /dev /mnt/dev

sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts

STEP 6: Create a proper /etc/crypttab

Create a file called "/etc/crypttab" containing each LUKS volume per line:

Code: Select all

# <target name>	<source device>		<key file>	<options>
my_sys    UUID=3353fb5c-5a8e-499d-9962-87a81164f43e    none luks
my_home UUID=04e36e97-5d33-465e-9ce0-32bf5ac6f4ad    none luke


STEP 7: Update the boot image and GRUB entries
Yes, we're still in the live-session after the install has finished (before rebooting).

In the target chroot, do the following:

Edit /etc/default/grub, in order to:
1) re-enable the "OS prober" (which we require for detecting the previously installed "System1 (Xubuntu 22.04)"
2) change grub timeout and menu

Code: Select all

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=menu
GRUB_TIMEOUT=7
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="splash"
GRUB_CMDLINE_LINUX=""

GRUB_DISABLE_OS_PROBER=false
NOTE: No need to add any CRYPTO-whatever flags/options/settings to GRUB2 at this boot-level. Because GRUB ain't handling LUKS in this setup: The kernel from /boot is doing that. There are many HowTos out there. Excellent ones! But when dealing with an encrypted /boot partition, the GRUB configuration parameters are different.

Now, update the initramfs and have OS-prober find the System1 partition and automatically add it to "our" currently generated /boot/grub/grub.cfg

Code: Select all

$ update-initramfs -k all -c
Followed by:

Code: Select all

$ update-grub
AFAIK this also updates the entry in the EFI System Partition (ESP) to now point to *this* installation - System2 - (rather than the previous System1).
Since our grub.cfg now contains the probed System1, **our** GRUB menu offers to boot System1.


STEP 8: Reboot && Celebrate!

You should now be greeted by a nice familiar grub menu :D
Offering "Ubuntu" (LUKS) and "Ubuntu 22.04" (regular) boot options.

When choosing "Ubuntu" you should shortly after be required to enter the passphrases for my_sys and my_home.
And when choosing "Ubuntu 22.04" - you'll boot the 1st installation (System1). As expected.

Tataaaaaaa! 8)

-------
(*) Optional-Way-Too-Detailed-Nerd-Rant:
*phew* --- Trying to have a LUKS1 encrypted /boot just took me 3 days now to understand, fail - and then re-install from scratch.
Something I've kinda already set up 2 years ago on another machine. Running smoothly.

Well, kinda-similar:
The previous setup had all partitions (boot, esp, /, home, etc) on the same drive.
This setup has /home on a separate physical disk.
Seems to have become less common to do dualboot with multiple GNU/Linux distributions.


Oh, btw: If only the installer would offer this existing option for different partition assignments?


References:
* BIG thanks to User Flimm's howto-reply on AskUbuntu
* https://help.ubuntu.com/community/Full_ ... Howto_2019