start install from usb stick=>Try
sudo luksformat /dev/sdaX
guid=`sudo blkid -s UUID -o value /dev/sdaX`
sudo cryptsetup luksOpen /dev/sdaX luks-$guid
the installer would not let me do much with my existing luks partition . unlike the previous version which would not let me do anything it at least allows me to treat it as a hard drive if I decrypt it first. Unfortunately, I dont want to treat a luks container as a hard drive with a partition table. I want to treat it as a block device with data directly on it. ok. i do it the default way to see what happens.
doesn't crash this time so there is that. Previously, I used lvm on the luks partition to work around this issue. Neither is a desirable solution.
From previous attempts at installing, I know that on reboot the EFI system will want me to enroll MOK (machine owner key). I found this page https://ubuntu.com/blog/how-to-sign-things-for-secure-boot and found the files it refers to in /var/lib/shim-signed/mok. Should I save these files somewhere?
# ls /var/lib/shim-signed/mok
MOK.der MOK.priv
I mounted the / and boot partitions and see that there is an equivalent file in the same location inside the installed OS and diff tells me they are same file.
Since I am using an encrypted root partition these files will not be available to the EFI boot process so I copy the public key MOK.der to /boot which is not encyrpted.
cp /var/lib/shim-signed/mok/MOK.der /target/boot
Before I restart I need to configure the system to boot and access the encrypted partitions. I first mount the encrypted partition and then bind mount existing system partitions as needed. (just after install they already seem to be there) Next, I use chroot to enter the system and mount the rest of the partitions.
cd /target
mount -o bind /dev dev
mount -o bind /proc proc
chroot /target
mount -a
I use blkid to get the GUID for the LUKS partition and put it into the crypttab file. Then I recreate the initrd
guid=`blkid -s UUID -o value /dev/sdaX`
echo "luks-$guid UUID=$guid none luks" >> /etc/crypttab
update-initramfs -u -k all
If I dont tear everything down the system may hang on restart.
umount -a
umount /proc
exit
cd /
umount /target
lvchange -an vg_kubuntu
swappoff /dev/mapper/vg_kubuntu-swap
cryptsetup luksClose /dev/mapper/luks-$guid
The MOK screens come up. I choose enroll key and continue.
It fails to boot. probably cannot find the luks partitions. I am going to try using the ubuntu installer....
sudo apt -y install ubiquity-frontend-gtk
ubiquity gtk_ui -d
The new installer wont go past the screen "Updates and other software" After filling it out and choosing NEXt the installer jus sits. after 10 minutes I kill it.
tried a few different options including -d flag so I can keep an eye on what's happening.
seems to work with
minimal only option. choosing nothing else
next try minimal with 3rd party but no secure vboot
not working
min; 3rd party, secure boot, no debug
i use the defaults for setting up crypto. It takes a long time but eventually the crypto part shows up and I can choose to format it as the root part. also set the /boot part.
i let the installer create a 'recovery key' but it fails to add it to the luks partition. I dont need it anyway.
after restart the uefi screens ask about enrolling keys but I couldn't find the ones from the kde installer and thenn when I run the install again it seems that choosing secure boot never finishes so maybe I didn't choose it last time.
From here I have a booting system. The secure boot seems to be screwed up but I'm never sure it's working anyway. Next step is to get the smartcard added to the /root paritition. I plug it in and import my public gpg key which I have to manually copy from somewhere else since I cannot find a way to extract it from the smartcard.
sudo apt install scdaemon opensc
gpg --import pubkey.asc
I also need to set the default recipient
echo "default-recipient jtmoree@gmail.com" >> ~/.gnupg/gpg.conf
Next I try to use cryptographic tools as a test
gpg --card-status
gpg --list-keys
sudo apt install opensc
pkcs15-tool -D
These all work as long as I have installed both opensc and scdaemon. Otherwise when I try to use the command I really need it fails....
gpg --batch --armor --default-recipient-self --trust-model=always --yes --encrypt -o file.asc file
After the install I add smartcard integration to the boot process. Then I start configuring the typical OS uses of librem key.
The password field on the SDDM login screen shows dots as I type the password--well I can't see the dots unless I highlight the text in the field. They also show up when submitting the data because the screen 'grays out'. This is a minor annoying issue. It happens with all SDDM themes I have tried.
Tried changing font colors but sddm themes are complicated... found a bug report for this in Arch Linux.