Ubuntu 18.04 installation with LUKS and LVM

Installation Process

Pre-installation from live OS

This setup of Ubuntu with LUKS and LVM is tested on Ubuntu 18.04.

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/nvme0n1.

  1. Partition the drive with your tool of choice: I used gparted to set mine up.
    • Make sure the drive in which we are about to install is completely unallocated.
    • The first partition must always be the ESP partition. Set the following fields:
      • Free space preceding - Change only if required (it might not accept zero)
      • New Size - 550MiB
      • Free space following - (will be calculated automatically)
      • Align to - MiB
      • Partition Name - EFI System Partition
      • File System - fat32
      • Label - ESP
    • Press Add, and then the big green tick and "Apply".
    • Right-click your new partition (with the name "EFI System Partition") and select "Manage Flags".
    • Select "esp", which will automatically change a couple of other flags. Press Close.
    • The next partition would be Boot partition. Set the following fields:
      • Free space preceding - Automatic value
      • New Size - 1024 MiB
      • Free space following - (will be calculated automatically)
      • Align to - MiB
      • Partition Name - boot
      • File System - ext4
      • Label - boot
    • The next partition would be Encryption partition. Set the following fields:
      • Free space preceding - Automatic value
      • New Size - Entire space available
      • Free space following - (will be calculated automatically)
      • Align to - MiB
      • Partition Name - system
      • File System - cleared
      • Label - system
  2. The resulting partition table will look as follows:
    • nvme0n1p1: EFI partition 550 MiB
    • nvme0n1p2: /boot (1G)
    • nvme0n1p3: LUKS partition (the rest of the disk)
  3. Setup LUKS
    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p3
    • sudo cryptsetup luksOpen /dev/nvme0n1p3 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  4. Setup LVM on /dev/mapper/CryptDisk
    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 20G vg0
    • sudo lvcreate -n root -l +100%FREE vg0

Installation from live OS

  1. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/nvme0n1p2 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot.
  2. Press the "Change…" button and assign boot, swap and root (/) partition to installation partitions
  3. Change the "Device for boot loader installation" to /dev/nvme0n1, and continue with installation.
  4. When installation is complete, don't reboot! Choose the option to "Continue Testing".

Post-installation configuration from live OS

  1. In a terminal, type the following and look for the UUID of /dev/nvme0n1p3. Take note of that UUID for later.

    • sudo blkid | grep LUKS
    • The important line on my machine reads /dev/nvme0n1p3: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
  2. Next lets get the newly installed system mounted again so we can make some more changes.

    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/nvme0n1p2 /mnt/boot
    • sudo mount --bind /dev /mnt/dev
    • sudo mount --bind /run/lvm /mnt/run/lvm
    • sudo mount /dev/nvme0n1p1 /mnt/boot/efi
  3. Now run sudo chroot /mnt to access the installed system

  4. From the chroot, mount a couple more things
    - mount -t proc proc /proc
    - mount -t sysfs sys /sys
    - mount -t devpts devpts /dev/pts

  5. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
    - CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard

  6. Lastly, rebuild some boot files.
    - update-initramfs -k all -c
    - update-grub

  7. Reboot, and the system should ask for a password to decrypt on boot!


Enabling System Hibernation

Configuring encrypted Swap

  1. Identify the Swap partition path by viewing the fstab.
    • cat /etc/fstab
    • The swap path would look something like /dev/mapper/vg0-swap
  2. Create a resume file in initramfs so the swap can be loaded at boot.
    • sudo gedit /etc/initramfs-tools/conf.d/resume
    • Add the following line to the file and save it RESUME=/dev/mapper/vg0-swap
  3. Add the same value to the grub
    • sudo gedit /etc/default/grub
    • GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=/dev/mapper/vg0-swap"
  4. Update kernel image and grub
    sudo update-initramfs -u -k all
    sudo update-grub

Enabling Hibernate

  1. Test whether hibernate is supported in your system by manually running the hibernate command from the terminal
    sudo systemctl hibernate

  2. If the hibernate works as expected then open the following snippet to the file.

    • sudo gedit /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
  3. Add the following snippet to the file and save it.


[Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes

[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes

  1. Restart system after modifying the configuration.
  2. Install the Hibernate status button gnome extension to add hibernate button to the GUI.

Enabling PM Utils

  1. Install PM Utils using the following command.
    sudo apt install --assume-yes --quiet pm-utils
  2. Check if your system supports hybrid suspend
    sudo pm-is-supported --suspend-hybrid && echo 'Hybrid suspend available' || echo 'Hybrid suspend NOT supported'
  3. If hybrid suspend is supported then add the following lines to /etc/systemd/logind.conf

HandleSuspendKey=hybrid-sleep
HandleLidSwitch=hybrid-sleep


Nvidia Graphic driver issue

I had issues with suspend and hibernate when using Nvidia graphic driver (Quadro p1000). If you encounter such issues. Then add the following line to /etc/default/grub

GRUB_CMDLINE_LINUX="nouveau.blacklist=1 acpi_rev_override=1 acpi_osi=Linux acpiphp.disable=1 nouveau.modeset=0 pcie_aspm=force drm.vblankoffdelay=1 scsi_mod.use_blk_mq=1 nouveau.runpm=0 mem_sleep_default=deep"

Once the configuration is saved then run the following command to refresh grub
sudo update-grub


References

  1. Custom encryption setup on Ubuntu 18.04
  2. Manual full system encryption on Ubuntu 18.04
  3. Enable Hibernation on Ubuntu 18.04
  4. Script to LUKS partioning installation
  5. Guide on encrypted ubuntu installation with LUKS and LVM
  6. Fix for suspend issue with Nvidia graphic driver in Ubuntu 18.04
  7. Installing Nvidia graphics driver in Ubuntu 18.04
  8. Method to disable Nouveau Nvidia driver