im installing kubuntu 22.10 on my Librem 15v3 from Purism. I upgraded a previous version but some things did not work and I want to rework the disk layout.
After booting the installer from USB I delete and rework the partitions. For this setup I will use a 2G unencrypted /boot and a 100G encrypted volume. Heads will protect the /boot partition (or at least watch it for unauthorized changes).
Sometimes i cannot install with the kubuntu installer since I use encrypted partitions and it crashes. the installer will not allow me to actually use encrypted partitions until I set them up beforehand and mount them before starting the install. that works but only if I use lvm on the opened luks device. when I try to use the LUKS device the installer forces creating a partition on it. which is not what I want. it's already a partition on another device.
i install with a separate /boot partition that is unencrypted. to recap:
boot kubuntu installer into TRY
manually partition drive
create luks device
open luks device
create lvm on luks device
add swap partition for suspend to disk that is slightly larger than RAM in system
start installer
choose smaller /boot
install / on opened lvm device from luks partition
sudo su
swap=34G
dev=/dev/nvme0n1p5
guid=`blkid -s UUID -o value $dev`
cryptsetup luksFormat $dev
cryptsetup luksOpen $dev luks-$guid
pvcreate /dev/mapper/luks-$guid
vgcreate vg_kubuntu /dev/mapper/luks-$guid
lvcreate -n swap -L $swap vg_kubuntu
lvcreate -n lv_root -l 100%FREE vg_kubuntu
ubiquity
next I run the post install setup so that the encrypted root is handled property in initrd
mount /dev/mapper/vg_kubuntu-lv_root /target
mount -o bind /dev /target/dev
mount -o bind /sys /target/sys
mount -o bind /proc /target/proc
chroot /target
mount -a
dev=/dev/sda2
guid=`blkid -s UUID -o value $dev`
echo "luks-$guid UUID=$guid none luks" >> /etc/crypttab
update-initramfs -u -k all
To reduce the chances of running into the out of memory error I implement the GRUB_GFXMODE suggestion.
echo "GRUB_GFXMODE=1280x1024" >> /etc/default/grub
update-grub
Now I unmount everything
umount -a
exit
umount /target/dev
umount /target/proc
umount /target/sys
umount /target
I reboot and reconfigure heads for sda1 to be the default. I also have to sign the files with the smartcard.
after install i setup the boot process to use my smartcard for the encryption
and I setup the smartcard for logins, sudo, etc
I fight kwallet every install. it gets the password from my local account and when the account password changes kwallet starts prompting for the old password. so annoying. The latest wallet manager allows me to set the password for it to empty which works for me because my system is encrypted already. I can now store passwords in the wallet without having to manage a password for the wallet.
If there are boot problems I use this method to 'rescue' the system.
dev=/dev/sda2
mkdir /target
guid=`blkid -s UUID -o value $dev`
cryptsetup luksOpen $dev luks-$guid
mount /dev/mapper/vg_kubuntu-lv_root /target
mount -o bind /proc /target/proc
mount -o bind /dev /target/dev
mount -o bind /sys /target/sys
chroot /target
mount -a
update-initramfs -u -k all
update-grub
umount -a
umount /boot
exit
umount /target/proc
umount /target/dev
umount /target/sys
umount /target
cryptsetup luksClose /dev/mapper/luks-$guid