I am trying to install *20.04.01 on my desktop with full (or almost full as Tj puts it) disk encryption including encrypted swap partition that allows hibernation, and btrfs.
The last few years I am using ManualFullSystemEncryption but even being careful to make sure I do not turn my system off after an update before the grub fix script automatically runs, these updates or *Windows updates if dual booting, have broken grub and I have often had to boot to a live USB and run fix-grub.sh.
Yesterday I followed Tj's Full_Disk_Encryption_Howto_2019 but when I got to the point of formatting /dev/mapper/ubuntu--vg-root I searched to see if I needed to do anything extra to use btrfs and ext3. I have since learned that using btrfs is not as simple as just selecting another filesystem from the dropdown.
This next brought me to Willi Mutschler's Ubuntu 20.04 with btrfs-luks full disk encryption including /boot and auto-apt snapshots with Timeshift which is very similar to Tj's, although it includes many extra steps for optimising btrfs and SSD. This is almost perfect for my intention, the only issue is that Willi sets it up so that swap is encrypted with a random password as he does not use hibernation:
export SWAPUUID=$(blkid -s UUID -o value /dev/vda2)echo "cryptswap UUID=${SWAPUUID} /dev/urandom swap,offset=1024,cipher=aes-xts-plain64,size=512" >> /etc/crypttab
cat /etc/crypttab
# cryptdata UUID=8e893c0f-4060-49e3-9d96-db6dce7466dc none luks
# cryptswap UUID=9cae34c0-3755-43b1-ac05-2173924fd433 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64,size=512
He references Archlinux's dm-crypt/Swap encryption which I have looked through, and it would seem I need to set up some kind of hook for swap, but I have not been able to make much more sense of it than that.
Last night I found Félix Saparelli's Full-disk encryption with Btrfs, swap, and hibernation. It gives commands for setting up encrypted swap but not the rest of the install, so I had planned today to try and use it in conjunction with Willi's guide to achieve my desired install.
I wanted to post and ask if this is the best approach, or if there is better way to do this or a more complete guide?
Edit: HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots describes the kind of install I am trying to get to although I am not sure exactly how to change it to work with Ubuntu.
*I would prefer to install Ubuntu Server edition on my desktop and then manually install my desktop environment as I have read this is an even more stripped down version of Ubuntu than the minimal install. Unfortunately when following Tj's guide, which is not intended for Server, after selecting the partitions the installer errored. Willi's guide references files for optimising btrfs in /usr/lib/partman which is not contained in the server installer and the same files do not exist anywhere else and it does not seem I can just install a package for partman.
*I was running a setup with Windows 10 on the same drive encrypted with VeraCrypt. This time I am not dual booting.
Swap File and Hibernation
A computer can have multiple swap partitions and a fresh install of Ubuntu will use them all, even if they are not listed in fstab, In addition the computer can use a single swap file if it is listed in fstab.
Even Live and Persistent bootable USB devices will use all the swap partition(s) they find.
Ubuntu 20.04 will create a swap file during installation as long as there are no existing swap partitions on the computer.
Once the swap file has been added to fstab the computer will not use any swap partition that are not listed in fstab.
Security:
A swap file is part of the root partition and automatically gets encrypted along with it.
To replace a swap partition with a swap file:
Check the swap that is in use:
sudo swapon -sIf swap partition(s) found:
sudo swapoff -asudo nano -Bw /etc/fstabAdd "# " before the UUID of the swap partition(s):
# UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX none swap sw 0 0Add a line for the swapfile:
swapfile none swap sw 0 0Create the swap file:
sudo fallocate -l XG /swapfileWhere X is the swapfile size in GB
Reboot:
sudo rebootTo Enable Hibernation:
Increase swap file size to match RAM size up to 8GB per above as required.
Edit /etc/default/grub to add resume location and offset to grub.cfg:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX resume_offset=XXXXX"Use UUID from root. You can find it with:
findmnt / -o UUIDUse offset from
sudo filefrag -v /swapfile |grep " 0:"| awk '{print $4}'Update GRUB
sudo update-grubTest hibernation
sudo systemctl hibernateA hibernate button can be added using gnome extensions.
NOTES:
swapon: swapfile has holesto ensure there will be no data loss.With some help from the reddit user /u/hack1z0 I was able to configure resuming Ubuntu Mate 20.04.1 (which was installed using Willi Mutschler's guide) from hibernation in a swap file with the following steps:
When creating the swap file make it large enough (for my 16GB of RAM Ubuntu recommends 20GB but I stuck with the 2x rule and chose 32GB).
Calculate resume offset according to Hibernation into a swap file on Btrfs
Get UUID of the /swap subvolume from /etc/fstab.
In /etc/default/grub edit the line 'Edit the line: GRUB_CMDLINE_LINUX_DEFAULT=""' to one similar to: 'GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=X resume_offset=X quiet splash"', where the X values are those from the previous steps.
sudo update-grub
For this install at least, contrary to other documentation, no editing of initramfs is necessary, just reboot.