Disclaimer: This is for personal reference, read up on the official documentation before you brick something you did not want bricked…

Create disk

sudo dd if=distro.iso of=/dev/sdX status_progress bs=1M

Boot live cd

Set keymap, then prepare disks

(If in virtualbox, make sure to activate EFI mode)

Partition drive

Use lsblk or blkid, fdisk -l to get an overview of the current situation, then create GPT table and partitions with:

sgdisk --zap-all /dev/sdX
sgdisk --clear \
    --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
    --new=2:0:0       --typecode=2:8300 --change-name=2:system \
    /dev/sdX

Or use cgdisk which is nice and interactive.

Create FAT32 filesystem for ESP on first partition:

mkfs.fat -F32 -n EFI /dev/diSk/by-partlabel/EFI

Cryptsetup

cryptsetup luksFormat /dev/sda2 --key-size 512 --iter-time 2000
cryptsetup luksOpen /dev/sda2 cryptroot

(Could also use /dev/disk/by-partlabel/... instead of /dev/sda2…)

mkfs.ext4 /dev/disk/by-partlabel/system

(Using ext4 because the Ubuntu installer ubiquity will create subvolumes for / → @ and /home → @home by default if using btrfs)

Start installation

ubiquity -b

Select language, keymap(de-latin1-nodeadkeys), then for “Installation type” select ”Something else”, use /dev/mapper/cryptroot as / with ext4 and /dev/sda1 as esp(EFI system partition)

Then click through the warnings, enter credentials.

Then DO NOT REBOOT, click “Continue testing”

Fix partitions

mount /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot/efi
mount LABEL=EFI /mnt/boot/efi

chroot

Before you chroot, mount the following filesystems from the live system:

mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /dev /mnt/dev
mount --bind /run /mnt/run
mount --bind /dev/pts /mnt/dev/pts

Otherwise the cryptsetup hook from update-initramfs will fail later.

Finally

chroot /mnt

Fix fstab, crypttab

Find out UUID of root partition(not mounted filesystem!) with blkid.

Remove the swap entry from /etc/fstab, then create /etc/crypttab, replace <UUID from blkid> of course:

#/etc/crypttab
cryptroot UUID=<UUID from blkid> none luks

Check that /dev/mapper/cryptroot is listed correctly in /etc/fstab.

Update initramfs

Regenerate the initramfs:

update-initramfs -k all -u

Should run without any errors; if it complains about not seeing devices you probably forgot to mount /dev into the chroot target.

Then copy to ESP

cp /boot/initrd.img-* /boot/efi/initrd.img
cp /boot/vmlinuz-* /boot/efi/vmlinuz-generic

Bootloader

Install systemd-boot to the ESP

bootctl --path=/boot/efi install

Then check efi vars with efibootmgr -v, in case bootctl failed to install an entry, use

efibootmgr \
--create \
--disk /dev/nvme0n1 \
--gpt \
--loader "\EFI\systemd\systemd-bootx64.efi" \
--label systemdboot \
--part 1 \
--timeout 0 \
--write-signature \
--verbose

Set boot order if necessary, 0010 would be systemd-boot

efibootmgr -o 0010,0020

Configure bootloader in /boot/efi/loader/loader.conf

default ubuntu
# leave timeout to debug
timeout 2
# leave editor to debug
editor 1

Create boot entries

# /boot/efi/loader/entries/ubuntu.conf
title   Ubuntu
initrd  /initrd.img
linux   /vmlinuz-generic
options r0 root=/dev/mapper/cryptroot quiet splash

Finishing

Unmount everything, exit chroot, shutdown, remove USB key, boot, enjoy. If something is broken, hold down space at boot for systemd-boot to halt, allowing editing of the kernel commandline by pressing e on a boot entry.

Outlook

This setup will not install kernel updates by itself, you’ll need a hook that moves the updated initrd and kernel stubs onto the ESP and creates appropriate boot manager entries.

References

• Transfer Ubuntu to a new drive
• Full disk encryption with Ubuntu