Ubuntu 20.04 btrfs-luks full disk encryption including /boot and auto-APT snapshots with Timeshift
Written Guide: https://mutschler.eu/linux/install-guides/ubuntu-btrfs-20-04/
If you want to support the creation of such videos: https://buymeacoff.ee/mutschler
In this guide I will walk you through the installation procedure to get a Ubuntu or Linux Mint system with the following structure:
– a btrfs-inside-luks partition for the root file system (including /boot) containing a subvolume `@` for `/` and a subvolume `@home` for `/home` with only one passphrase prompt from GRUB
– either an encrypted swap partition or a swapfile
– an unencrypted EFI partition and any other partitions you might want
– the functionality of *zsys* will be equivalently replaced by:
– [Timeshift](https://github.com/teejee2008/timeshift) which will regularly take snapshots of the system
– [timeshift-autosnap-apt](https://github.com/wmutschl/timeshift-autosnap-apt) which will automatically run Timeshift on any APT operation
– [grub-btrfs](https://github.com/Antynea/grub-btrfs) which will automatically create GRUB entries for all your btrfs snapshots
So with this setup you get the same comfort of Ubuntu’s 20.04’s ZFS and zsys initiative, but with much more flexibility and comfort due to the awesome *Timeshift* program.
**Timestamps**
01:24 Step 1: Some preparations, check UEFI mode and open interactive root shell
01:58 Step 2: Prepare partitions manually
03:05 – Create partition table and layout
04:30 – Create luks1 partition
05:50 – Create filesystems for root and EFI System partitions
06:40 Step 3 (optional): Optimize mount options for SSD or NVME drives
09:20 Step 4: Install Ubuntu using the Ubiquity installer without installing the bootloader
11:23 Step 5: Post-Installation steps
11:35 – Mount the btrfs subvolume @ with optimized mount options
12:15 – Create a chroot environment, enter your system and mount everything
13:50 – Add a key-file to type luks passphrase only once (optional, but recommended)
17:05 – Create crypttab
18:35 – Create encrypted swap partition using crypttab
20:25 – Create encrypted swapfile
25:23 – Install the EFI bootloader
28:05 Step 6: Reboot, some checks, and update system
31:40 Automatic snapshots with Timeshift
32:48 Install Timeshift-autosnap-apt
36:14 Check automatic snapshots
37:00 Enable fstrim timer
37:10 Check whether you can boot into the snapshots
———————————————
If you want to support the creation of such videos: https://buymeacoff.ee/mutschler
ubuntu
Silly question. Why not do the partition via the GUI installation? It would be nice to make a video using that option. Thank you.
Please redo this tutorial with Ubuntu 22.04!
I tried this guide for Ubuntu 22.04 and it doesn't work: after typing the passphrase it stops.
Why cant i type the pass phrase
Beyond good!
Need same manual for dual boot with windows 10
Kann ich meinen ganzen drive mit veracrypt encrypten wenn ich linux benutze?ich will das man mich bei jedem boot nach nem passwort fragt
Its work with SecureBoot? I want install KDENeon next to W11, but i still want btrfs unsupported by graphic instalator.
Hello! Firstly thank you for the post and this video.
I've had an issue while following the process. I'm not sure what I'm missing as I think I've followed every step correctly.
When I get to the Ubiquity installer stage, I set the efi & swap partitions no problem, yet when I try to set the mount point on /dev/mapper/cryptdata btrfs to / and click install, I get the following error "Two file systems are assigned the same mount point (/home): Encrypted volume (cryptdata) and Encrypted volume (cryptdata). Please correct this by changing mount points."
I can't figure out what I'm going wrong? Any help would be much appreciated!
Thank you for the video!! Very informative.
I'm a Linux noobie and managed to install on a spare laptop Ubuntu 20.04 with BTRFS-LUKS as per your video and written guide.
I have seen you have made some remarks in regards to the step 2 where you said you can install /boot on a luks1 partition and the root in a separate luks2 partition.
I would like to ask how could that be done. I suppose there's more technical difficulties since there are 2 separate partitions to decrypt. Unless, it's possible to link somehow the luks1 partition to luks2 (and both have same passwords and keys) so when GRUB unlocks /boot it will also open the root partition.
Could you please, if time allows, share the commands and procedure that would be required in order to achieve this?
This does NOT work with Kubuntu 21.04. I had countless tries with my REAL PC installing on an old Harddisk for testing. Ended up with an empty Grub screen all the time. Also tried on Virtualbox where EFI is only supported in "specific cases" not sure if that matters as I did not even try to set it up. I ended up with a different issue "unable to boot from device" or something like that. This is also pretty much the only tutorial I found that does it without the stupid unencryted /boot partition. I like Ubuntu but this atrocious installer, I hate it so much. Its soooo outdated and just crashes when you deal with encysted volumes directly, it even got wore and does not let me create them at all in the installer. It creates this stupid separate boot even though grub able to boot from LUKS for like 6+ years now? Its creates this stupid LVM setup nobody with a home or office PC needs (good for servers apparently), forces a swap partition into it and demands to take over the entire disk if you go with the guided setup for encryption. I mean, how much worse can it get? They are working on a new installer and I saw some hints that at least you can set free space for the guided setup when its ready. I do not even need BTRFS and rollback for my system. I like to use Snapper for my /home. So I am not here for the BTRFS I just want a sane setup with custom partitions, no LVM, no swap, no /boot separation.
I've just found this tutorial. This is absolutely brilliant work!
I have a question about additional functionality. Is it possible to add yubikey token to unencrypt main partition? It would be really cool.
could you do that on arch linux? I could not do it!
Thank you very much for all your help!!! This is a really helpful video to obtain some free privacy for normal users who do not know how to use ubuntu properly, well done!
Following your precisely written instruction and your video everything turned out fine following this video and the instruction you provided in the video.
The only problem was when I rebooted the laptop my UEFI could not find the EFI partition to where access my external SSD where I installed the Ubuntu version. I had to change a file from the UEFI so that UEFI could recognise my firmware, more info at the end of this video: "How To Install Linux On An External Drive Or SSD With Disk Encryption. Without Dual Boot!"
Thanks. very much. You have one new subscriber. Excelente trabajo
That's a great guide, unfortunately none of the guides address a dual boot system with LUKS and btrfs. Can you make one with Debian? How does it differ?
Excellent tutorial! Got it all working for Linux Mint 20 as well. Thanks!
Make ubuntu ZFS.
This is great. You have one new subscriber. The best guide on the net for BTRFS setup with Timeshift is here!
Can you make a simplified guide to install just the minimal server iso with btrfs without encryption, please? So to get the minimal server installation with snapshoting capabilities.