start install from usb stick=>Try
dev=/dev/sdaX
sudo luksformat $dev
guid=`blkid -s UUID -o value $dev`
sudo cryptsetup luksOpen $dev luks-$guid
the installer would not let me do anything with my existing luks partition it said the device was an empty one and needed a partition table but would not allow me to create one on it.
When I try to create a fresh encrypted partition with the installer it crashes so I filed a bug. Labeling a partition as crypto and then assigning /boot to another causes ubiquity to crash. If I setup /boot first it does not crash but assigning a crypto partition in this installer is the only thing one can do with encryption. The installer will not let me do anything else with a crypo partition. If I cannot set it as / then I can't install to it.
I'm going to try to workaround this by setting up luks and LVM manually, maybe the installer will let me choose the lvm parts.
cryptsetup luksFormat $dev
cryptsetup luksOpen $dev luks-$guid
pvcreate /dev/mapper/luks-$guid
vgcreate vg_kubuntu /dev/mapper/luks-$guid
lvcreate -n swap -L 8G vg_kubuntu
lvcreate -n root -L 30G vg_kubuntu
When I try manual partitioning again ubiquity allows me to choose the lvm partitions and set /boot without crashing.
I have another system using Heads which is not EFI based. It flashes the Linux kernel into the system chip in place of BIOS. Interestingly, this system does not have the same issues as the EFI system. I can manually create the LUKS partition and the installer allows me to use the free space for the root partition.
From previous attempts at installing, I know that on reboot the EFI system will want me to enroll MOK (machine owner key). I found this page https://ubuntu.com/blog/how-to-sign-things-for-secure-boot and found the files it refers to in /var/lib/shim-signed/mok. Should I save these files somewhere?
# ls /var/lib/shim-signed/mok
MOK.der MOK.priv
I mounted the / and boot partitions and see that there is an equivalent file in the same location inside the installed OS and diff tells me they are same file.
Since I am using an encrypted root partition these files will not be available to the EFI boot process so I copy the public key MOK.der to /boot which is not encyrpted.
cp /var/lib/shim-signed/mok/MOK.der /target/boot
Before I restart I need to configure the system to boot and access the encrypted partitions. I use chroot to enter the system as if it was booted after mounting all of the partitions.
cd /target
mount -o bind /dev dev
mount -o bind /proc proc
chroot /target
mount -a
If I need a grub.cfg for heads to find kernels to boot I might have to generate it manually. It doesn't hurt to run this even if it was already done by the installer. Having mounted the system and used chroot before I can then run
grub-mkconfig -o /boot/grub/grub.cfg
I use blkid to get the GUID for the LUKS partition and put it into the crypttab file. Then I recreate the initrd
guid=`blkid -s UUID -o value $dev`
echo "luks-$guid UUID=$guid none luks" >> /etc/crypttab
update-initramfs -u -k all
might not need this
root=`blkid -s UUID -o value /dev/mapper/vg_kubuntu-root`
If I dont tear everything down the system may hang on restart.
umount -a
umount /proc
exit
cd /
umount /target
lvchange -an vg_kubuntu
swappoff /dev/mapper/vg_kubuntu-swap
cryptsetup luksClose /dev/mapper/luks-$guid
The MOK screens come up. I choose enroll key from disk expecting it to ask me to choose a partition which is does. I notice that this looks like an EFI partition and not what I expected. I go back and choose Enroll MOK. It shows me a key labeled with kubuntu in the details. this looks good. While I type this the system resets itself. WTF? Now it comes up and asks if I want to manage MOK or just boot. I choose manage and see the same options except Enroll MOK is now Reset MOK.
The first thing I see is Boot validation failure in rEFInd. Oh well. Let see if it boots Kubuntu. I choose it from refind menu and get the glowing kubuntu logo .... for a while...then dump to initramfs. LUKS booting with LVM seems to do this. I haven't been able to make LVM + LUKS work in the past.
I also realize as I try this that rEFInd will never work with secure boot because the chain of trust goes from the MOK in EFI to the kernel that is booted. rEFInd isn't in that loop. I might have to go back to using grub for the boot loader. Will it securely boot windows?
I go back to using GRUB directly from EFI booting and I haven't seen any messages about failing secure boot but then again it was never obvious and some bug reports in the not to distant past highlight that grub would blindly boot when secure boot failed even if the system was configured to require it. Windows still boots from EFI secure boot and seems to boot from Grub so maybe it's all good for now....
I still want my Linux install to use LUKS for the root partition. Maybe I'll have to install to an unencrypted partition and copy everything over to the LUKS partition? that really sucks. what is this 1999? More research unearths multiple bug reports trying to install Kubuntu with LUKS.
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1510731
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1264813
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1931146
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1904270
Looks like one work around is to install using the gtk frontend. ok. using my terminal
sudo apt install ubiquity-frontend-gtk
ubiquity gtk_ui
This is a similar install but when I choose to use a partition as crypto the prompts allow me to enter the password. This is good but when it wants to resize the partition even though I didn't change the size I decide to cancel. !!! Even though I cancel it writes the new crypto partition to disk. This wipes out any existing information on disk in the partition in question and is really bad. This bug is years old.!!!
Not only that but the installer does not show any prompts for secure boot. I dont know if that's because it's going to set it up by default or doesn't support it.
I generally disable swap space as I dont want the performance hit and prefer that my system close programs and/or warn me.
If I am going to use swap I prefer to setup an encrypted swap partition. The easy way to do this does not allow for suspend to disk but that probably doesn't work for me with disabled swap anyway.
echo "swap /dev/sda2 /dev/urandom swap,cipher=aes-xts-plain64,size=256" >> /etc/crypttab
echo "/dev/mapper/swap none swap sw 0 0" >> /etc/fstab
Setting up for allowing suspend to disk is more complicated and I don't use that feature. maybe another day.
After the install I use a custom keyscript so that boot will use the librem key when available but allow me to type a passphrase if I want to. Then I start configuring the typical OS uses of librem key.