Ubuntu 18.04 installation with LUKS and LVM
Installation Process
Pre-installation from live OS
This setup of Ubuntu with LUKS and LVM is tested on Ubuntu 18.04.
Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/nvme0n1.
- Partition the drive with your tool of choice: I used gparted to set mine up.
- Make sure the drive in which we are about to install is completely unallocated.
- The first partition must always be the ESP partition. Set the following fields:
- Free space preceding - Change only if required (it might not accept zero)
- New Size - 550MiB
- Free space following - (will be calculated automatically)
- Align to - MiB
- Partition Name - EFI System Partition
- File System - fat32
- Label - ESP
- Press Add, and then the big green tick and "Apply".
- Right-click your new partition (with the name "EFI System Partition") and select "Manage Flags".
- Select "esp", which will automatically change a couple of other flags. Press Close.
- The next partition would be Boot partition. Set the following fields:
- Free space preceding - Automatic value
- New Size - 1024 MiB
- Free space following - (will be calculated automatically)
- Align to - MiB
- Partition Name - boot
- File System - ext4
- Label - boot
- The next partition would be Encryption partition. Set the following fields:
- Free space preceding - Automatic value
- New Size - Entire space available
- Free space following - (will be calculated automatically)
- Align to - MiB
- Partition Name - system
- File System - cleared
- Label - system
- The resulting partition table will look as follows:
- nvme0n1p1: EFI partition 550 MiB
- nvme0n1p2: /boot (1G)
- nvme0n1p3: LUKS partition (the rest of the disk)
- Setup LUKS
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p3
sudo cryptsetup luksOpen /dev/nvme0n1p3 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data.
sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M
BEWARE, this could take a really long time!
- Setup LVM on /dev/mapper/CryptDisk
sudo pvcreate /dev/mapper/CryptDisk
sudo vgcreate vg0 /dev/mapper/CryptDisk
sudo lvcreate -n swap -L 20G vg0
sudo lvcreate -n root -l +100%FREE vg0
Installation from live OS
- Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set
/dev/nvme0n1p2
as/boot
. the /boot partition must not be encrypted. If it is, we won't be able to boot. - Press the "Change…" button and assign boot, swap and root (/) partition to installation partitions
- Change the "Device for boot loader installation" to /dev/nvme0n1, and continue with installation.
- When installation is complete, don't reboot! Choose the option to "Continue Testing".
Post-installation configuration from live OS
-
In a terminal, type the following and look for the UUID of /dev/nvme0n1p3. Take note of that UUID for later.
sudo blkid | grep LUKS
- The important line on my machine reads
/dev/nvme0n1p3: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
-
Next lets get the newly installed system mounted again so we can make some more changes.
sudo mount /dev/vg0/root /mnt
sudo mount /dev/nvme0n1p2 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo mount --bind /run/lvm /mnt/run/lvm
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
-
Now run
sudo chroot /mnt
to access the installed system -
From the chroot, mount a couple more things
-mount -t proc proc /proc
-mount -t sysfs sys /sys
-mount -t devpts devpts /dev/pts
-
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
-CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
-
Lastly, rebuild some boot files.
-update-initramfs -k all -c
-update-grub
-
Reboot, and the system should ask for a password to decrypt on boot!
Enabling System Hibernation
Configuring encrypted Swap
- Identify the Swap partition path by viewing the fstab.
cat /etc/fstab
- The swap path would look something like
/dev/mapper/vg0-swap
- Create a resume file in initramfs so the swap can be loaded at boot.
sudo gedit /etc/initramfs-tools/conf.d/resume
- Add the following line to the file and save it
RESUME=/dev/mapper/vg0-swap
- Add the same value to the grub
sudo gedit /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=/dev/mapper/vg0-swap"
- Update kernel image and grub
sudo update-initramfs -u -k all
sudo update-grub
Enabling Hibernate
-
Test whether hibernate is supported in your system by manually running the hibernate command from the terminal
sudo systemctl hibernate
-
If the hibernate works as expected then open the following snippet to the file.
sudo gedit /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
-
Add the following snippet to the file and save it.
[Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
- Restart system after modifying the configuration.
- Install the Hibernate status button gnome extension to add hibernate button to the GUI.
Enabling PM Utils
- Install PM Utils using the following command.
sudo apt install --assume-yes --quiet pm-utils
- Check if your system supports hybrid suspend
sudo pm-is-supported --suspend-hybrid && echo 'Hybrid suspend available' || echo 'Hybrid suspend NOT supported'
- If hybrid suspend is supported then add the following lines to
/etc/systemd/logind.conf
HandleSuspendKey=hybrid-sleep
HandleLidSwitch=hybrid-sleep
Nvidia Graphic driver issue
I had issues with suspend and hibernate when using Nvidia graphic driver (Quadro p1000). If you encounter such issues. Then add the following line to /etc/default/grub
GRUB_CMDLINE_LINUX="nouveau.blacklist=1 acpi_rev_override=1 acpi_osi=Linux acpiphp.disable=1 nouveau.modeset=0 pcie_aspm=force drm.vblankoffdelay=1 scsi_mod.use_blk_mq=1 nouveau.runpm=0 mem_sleep_default=deep"
Once the configuration is saved then run the following command to refresh grub
sudo update-grub
References
- Custom encryption setup on Ubuntu 18.04
- Manual full system encryption on Ubuntu 18.04
- Enable Hibernation on Ubuntu 18.04
- Script to LUKS partioning installation
- Guide on encrypted ubuntu installation with LUKS and LVM
- Fix for suspend issue with Nvidia graphic driver in Ubuntu 18.04
- Installing Nvidia graphics driver in Ubuntu 18.04
- Method to disable Nouveau Nvidia driver