2

My objective is to create a bootable Ubuntu system (full installation) on a LUKS-encrypted UBS drive. The version I am trying to install is Ubuntu 18.04

I followed this guide Full_Disk_Encryption_Howto_2019 , step by step without any error/warning. The installation drive I selected is a blank 64GB USB drive. After installation is completed and followed the post-installation guide, the USB drive won't boot with a "Operating System Not Found" error.

Next, I try to use the default installation while selecting "Erase disk and install Ubuntu", "Encrypt the new installation for security" and "use LVM for the new Ubuntu installation" and accepted all default setting while selecting my USB drive as the destination. After installation was successful, I tried to boot the USB drive but an error "System BootOrder not found. Initializing defaults" is displayed and I was redirected to the bare GRUB prompt. I checked the USB disk and I can unlock it by typing my password. The file structure looks normal but somehow I cannot boot it.

Did anyone try to do the same thing and succeeded? Any help is much appreciated.

albertma789
  • 417
  • 6
  • 9
  • There needs to be an unencrypted boot partition with GRUB. Normally this would be on your local PC but for installation to the USB you might need to create it manually with the "something else" option during installation. Don't forget to add the flags for /boot and / – Nmath Jul 02 '20 at 17:53
  • @Nmath The default installation option with encryption does not encrypt /boot but still it shows "System BootOrder not found". I wonder if there is a way to fix it because apparently it can enter the Grub shell... Just that it cannot load the GRUB menu – albertma789 Jul 03 '20 at 01:33
  • Here are instructions for an Encrypted Full install thumb drive that boots BIOS or UEFI: https://askubuntu.com/questions/1086309/how-to-make-bios-uefi-flash-drive-with-full-disk-encryption . I am working on simplifying the instructions. I have used the "Advanced features" on the Install screen, for full disk encryption, with success. The HDD must be unplugged. The drive will only boot in the mode, it was created in (BIOS or UEFI), – C.S.Cameron Jul 03 '20 at 04:45

1 Answers1

3

LUKS or Full Encryption Options in the Installer

Install to USB as you would to HDD. It is recommended that you remove the HDD before proceeding, especially in UEFI mode.

They have done a good job of hiding encryption options in the Live installer. It is located on the install page, just above Something else.

Tag "Erase disk and install Ubuntu" and then click "Advanced features". The Advanced Features popup will popup. Click "Use LVM with the new Ubuntu installation" and then "Encrypt the new Ubuntu installation for security".

enter image description here

Booting in BIOS/UEFI Modes

A USB created with the above method will only boot in the BIOS/UEFI mode it is created in. For a USB that Boots in either mode:

  • When Install is complete, open the 20.04 ISO file and copy boot and ESP folders to partition 1.

enter image description here

  • Copy grub.cfg from Partition 5 /boot/grub/ to Partition 1 /boot/grub/ overwriting the existing grub.cfg file.

  • Re-Install GRUB:

    sudo mount /dev/sdb1 /mnt
    sudo grub-install --boot-directory=/mnt/boot /dev/sdb

  • Encrypted Full install USB should now be working in BIOS and UEFI modes.

If you want an encrypted USB drive that will boot in either BIOS or UEFI mode see: How to Make BIOS/UEFI Flash Drive with Full Disk Encryption

C.S.Cameron
  • 19,519
  • Ubuntu 20.04 installer shown. Internal drive must be unplugged prior to installation. Drive will only boot in the BIOS/UEFI mode it was installed in. – C.S.Cameron Jul 03 '20 at 05:04
  • Followed your guide and I succeeded! Perfect! – albertma789 Jul 04 '20 at 13:04
  • @albertma789: Thank you for letting us know, – C.S.Cameron Jul 04 '20 at 13:24
  • A follow up question: USB sticks do wear out and die sometimes. If I use clonezilla to clone the USB to a new USB, will it boot automatically? Or I need to edit the grub.cfg in the EFI partition and replace all the UUID? How about running update-grub after chroot? Is there any documentation on this? I won't want to lose all the work I have done on the USB when I switch to another USB. Thank you. – albertma789 Jul 05 '20 at 06:40
  • @albertma789: Sudodus and I have been discussing Gnome-Disks vs Clonezilla. See: https://askubuntu.com/questions/1255461/create-bootable-backup-system-image/1255581#1255581 The cloned drive will be automatically bootable. I am still using the same Kingston 4GB USB2 drive that I made my first Live install on back in 2007. Newer USB drives I think, sacrifice durability for space. Some multilayer drives get less than 500 writes I have read. – C.S.Cameron Jul 05 '20 at 07:13