Notes on installing Ubuntu 22.04 with luks encryption and btrfs.
Based on:
# mount -o subvol=@,ssd,noatime,commit=120,compress=zstd /dev/mapper/nvme0n1p3_crypt /mnt
# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -B $i /mnt$i; done
# chroot /mnt
Mount everything:
root@ubuntu:/# mount -av
/ : ignored
/boot/efi : successfully mounted
/home : successfully mounted
none : ignored
Verify btrfs subvolumes:
root@ubuntu:/# btrfs subvolume list /
# ID 256 gen 32 top level 5 path @
# ID 257 gen 14 top level 5 path @home
root@ubuntu:/# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
root@ubuntu:/# apt install -y --reinstall \
grub-efi-amd64-signed \
linux-generic \
linux-headers-generic \
linux-generic-hwe-22.04 \
linux-headers-generic-hwe-22.04
root@ubuntu:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-5.15.0-43-generic
update-initramfs: Generating /boot/initrd.img-5.15.0-47-generic
root@ubuntu:/# grub-install /dev/nvme0n1
Installing for x86_64-efi platform.
Installation finished. No error reported.
root@ubuntu:/# update-grub
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.15.0-47-generic
Found initrd image: /boot/initrd.img-5.15.0-47-generic
Found linux image: /boot/vmlinuz-5.15.0-43-generic
Found initrd image: /boot/initrd.img-5.15.0-43-generic
Adding boot menu entry for UEFI Firmware Settings
done
Double-check permissions and keyfile:
root@ubuntu:/# stat -L -c "%A %n" /boot/initrd.img
-rw------- /boot/initrd.img
root@ubuntu:/# lsinitramfs /boot/initrd.img | grep "^cryptroot/keyfiles/"
cryptroot/keyfiles/nvme01p3_crypt.key
Exit the chroot and reboot:
root@ubuntu:/# exit
root@ubuntu:~# reboot now
You will be prompted to remove the live USB stick then if everything worked you will see this:
Enter the passphrase for hd0,gpt3 (some very long number):
Enter the passphrase to unlock grub and then select "ubuntu" from the grub menu.
nvme0n1p3_crypt UUID=8e893c0f-4060-49e3-9d96-db6dce7466dc /etc/luks/boot_os.keyfile luks,discard
swap_crypt UUID=9cae34c0-3755-43b1-ac05-2173924fd433 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64,size=512
/dev/mapper/nvme0n1p3_crypt / btrfs defaults,subvol=@,ssd,noatime,commit=120,compress=zstd:1,discard=async 0 0
UUID=D516-20D8 /boot/efi vfat umask=0077 0 1
/dev/mapper/nvme0n1p3_crypt /home btrfs defaults,subvol=@home,ssd,noatime,commit=120,compress=zstd:1,discard=async 0 0
/dev/mapper/swap_crypt none swap sw 0 0