This guide walks you through setting up Ubuntu 20.04 LTS on BTRFS using GPT, UEFI, and LUKS Disk Encryption with remote SSH unlock.
- [optional] Setup VirtualBox
- Install Ubuntu 20.04 on BTRFS with LUKS
- Configure
/boot
SSH Client with Dropbear for Remote Unlock - Dynamically add Drive(s) with BTRFS and RAID
This guide was written on
macOS
and may need to be tailored accordingly for other operating systems likeLinux
orWindows
– contributions are welcome!
I'd recommend following all sections below on a VM for your first time before doing anything on 'real' hardware. You can iterate faster and learning without breaking your own 💩.
CLICK HERE to Setup VirtualBox
- Download and install VirtualBox
brew cask install virtualbox
- Launch VirtualBox, click
New
:
Type:Linux
Version:Ubuntu (64-bit)
- Continue with defaults (which should include a 10 GB virtual drive)
-
Select VM from step above and click
Settings
-
Navigate to System > Motherboard
-
Navigate to Storage and attach
ubuntu-20.04-desktop-amd64.iso
as a new Optical Drive: -
Navigate to Network and change to
Bridged Adapter
so the VM will get an IP Address from your router instead of your computer: -
[optional] Increase VM performance
I put my numbers below but do what suites you
Base Memory:
2048 MB
Processor(s)4
Video Memory:128 MB
-
Click
OK
to save settings -
Click
Start
-
[optional] Change VM to Scaled Mode (View > Scaled Mode) for a better viewing experience
By the end of this section you should have a bare bones Ubuntu system up and running on BTRFS with LUKS. It will be a little rough around the edges (like manually running commands locally to get past LUKS and boot) but it's a start!
CLICK HERE to Install Ubuntu 20.04 on BTRFS with LUKS
https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso
- If you are not going the VirtualBox VM route you will need to build an Ubuntu Live USB from
ubuntu-20.04-desktop-amd64.iso
and launch into it. - Start your system, boot to the attached Ubuntu environment, and select
Try Ubuntu
once fully loaded. - Open
terminal
(Ctrl+Opt+T on macOS) and runlsblk
to list out your block devices and locate the drive you will be installing Ubuntu on – in my casesda
.
Jot down your disk name, if it's different than mine, and use it for the remainder of this guide
- Launch interactive sudo
sudo -i
in terminal – it's time to get our hands dirty 🙌.
-
Launch
parted
in interactive sudo to setup aGPT
partition table and create our three partitions:EFI
,/boot
, and/
.parted /dev/sda mklabel gpt mkpart primary 1MiB 513MiB mkpart primary 513MiB 1026MiB mkpart primary 1026MiB 100% print quit
If you dont have a UEFI system (BIOS, like myself) then you will need to do something slightly different for the first partition:
parted /dev/sda mklabel gpt mkpart primary 1MiB 2MiB set 1 bios_grub on mkpart primary 2MiB 514MiB mkpart primary 514MiB 100% print quit
-
Setup encryption on
/
partition:cryptsetup luksFormat /dev/sda3
Use a strong passphrase: This passphrase is what will be used to unlock your disk encryption in the future – avoid brute force attacks and use something long and strong 😘.
If you on on VirtualBox, you may get a
Killed
response with a screen flicker, this means luksFormat failed. Try with--pbkdf-memory 256
to reduce the required memory – not recommended if you can avoid it. -
Open your newly created LUKS
/
partition:cryptsetup luksOpen /dev/sda3 sda3_crypt
This will mount an LVM at
/dev/mapper/sda3_crypt
which is affectively your decrypted partition.
- Format
EFI
partition:mkfs.vfat -F 32 /dev/sda1
Skip this if you are going the BIOS route.
- Format
/boot
partition:mkfs.btrfs /dev/sda2
- Format
/
partition:mkfs.btrfs /dev/mapper/sda3_crypt
You do not want to use
/dev/sda3
here because it's encrypted.
-
Launch Ubuntu Installer from interactive sudo terminal
ubiquity
-
Continue with your desired settings until you hit the Installation type page, here you want to select the
Something else
radial button: -
We are now going to tell the Ubuntu installer how/where we want our installation:
- Select
/dev/sda1
, press the Change button. Choose Use asEFI System Partition
.
If this is not an option, you probably didn't boot with UEFI Support in VirtualBox or your System doesnt support UEFI 🙁 and you will need to go with a BIOS option as discussed above.
- Select
/dev/sda2
, press the Change button. Choose Use asbtrfs journaling filesystem
, checkFormat
, and use/boot
as Mount point. - Select
/dev/mapper/sda3_crypt
, press the Change button. Choose Use asbtrfs journaling filesystem
, checkFormat
, and use/
as Mount point.
- Select
-
Click
Install Now
-
Continue through the rest of the installation with your desired settings:
-
Remove the Ubuntu Installer USB/CD – it is no longer needed.
-
Click
Restart Now
-
Congrats, Ubuntu is installed on BTRFS with LUKS 🎉 – time for a test drive to see if it works 🚙...
- Once booted/restarted you should end up in
initramfs
runningBusyBox
and not Ubuntu. This is because your/boot
volume could not mount the/
partition because it's encrypted: - Perform the following commands to boot into Ubuntu:
- Open the encrypted
/
partitioncryptsetup luksOpen /dev/sda3 sda3_crypt
- Scan for the
/
partition filesystembtrfs device scan
- Exit to continue the booting process
exit
- Open the encrypted
- If all's good, you should be loaded to Ubuntu!
- Upgrade packages, install a couple more, and enable ssh access:
sudo apt update sudo apt upgrade -y sudo apt install -y net-tools openssh-server curl vim
- Add filewall rule for ssh:
sudo ufw allow ssh
- Setup
authorized_keys
to gate ssh access:mkdir ~/.ssh echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
Read more about ssh-keygen if needed.
- You should now be able to ssh into your Ubuntu system:
Use
ifconfig
if you need to find the IP Address.
In this section you will be setting up a helper script and an SSH Client that is put inside initramfs
which is called by GRUB when booting. This will allow you to remotely unlock your encrypted partitions 👏 (via ssh) to ensure a display-less experience even on reboot or power on 🎉.
CLICK HERE to Configure /boot SSH Client with Dropbear for Remote Unlock
The following script will setup the ssh client for you, add an unlock
script, and grant access to ~/.ssh/authorized_keys
:
cd ~
curl https://raw.githubusercontent.com/BinaryShrub/ubuntu-btrfs-luks/master/scripts/btrfs-luks-unlocker.sh -o btrfs-luks-unlocker.sh
sudo chmod +x btrfs-luks-unlocker.sh
./btrfs-luks-unlocker.sh
WARNING: You will need to rerun this script on
~/.ssh/authorized_keys
change if you want the new users to have access to connect.
WARNING: You will need to update
btrfs-luks-unlocker.sh
to include all drives that should be unlocked. Look for the line withcryptsetup luksOpen
and change/duplicate accordingly.
After this script has executed, you should now be able to ssh into the system on reboot. To do this you must explicitly use the root
user like so:
Do not change user,
root
is what you want.
Once you have successfully connected to initramfs (from the step above) you will now have access to the unlock
script to help make unlocking easier for you:
ssh [email protected]
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# unlock
Enter passphrase for /dev/sda3:
Scanning for Btrfs filesystems
⏳ Booting ...
# Connection to 192.168.1.109 closed by remote host.
Connection to 192.168.1.109 closed.
You can also access this script with ./unlock
to make it easier to remember if you forget 😇:
ssh [email protected]
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls
unlock
# ▉
In this section we will go over adding additional drives and configuring RAID. To start we will add 1 additional drive (for a total of 2) and setup RAID1
, then we will add a 3rd drive and setup RAID5
CLICK HERE to Dynamically add Drive(s) with BTRFS and RAID
The following commands give you some basic information about the btrfs mount points and the devices they include:
-
sudo btrfs fi show
-
findmnt -nt btrfs
-
Be sure your new drive is attached to the system and verify with
lsblk
If you are using VirtualBox you can create another
10 GB
drive in settings, under Storage after shutting down your VM -
Create partition:
sudo parted /dev/sdb mklabel gpt mkpart primary 1MiB 100% print quit
-
Format for LUKS:
sudo cryptsetup luksFormat /dev/sdb1
You can either use the same passphrase as
/dev/sda3
or something differentIf you on on VirtualBox, you may get a
Killed
response with a screen flicker, this means luksFormat failed. Try with--pbkdf-memory 256
to reduce the required memory – not recommended if you can avoid it. -
Open your newly created LUKS partition:
sudo cryptsetup luksOpen /dev/sdb1 sdb1_crypt
-
Add a line to
btrfs-luks-unlocker.sh
for your new drive so you will be promted to unlock it on reboot:# Add line to `btrfs-luks-unlocker.sh` # /sbin/cryptsetup luksOpen /dev/sdb1 sdb1_crypt # Execute scrip to update ~/btrfs-luks-unlocker.sh
-
Add new drive to the
/
BTRFS mount point and configure forRAID1
:sudo btrfs device add /dev/mapper/sdb1_crypt /
-
Balance the new drive with the existing:
For 2 Drives useRAID1
:sudo btrfs balance start -dconvert=raid1 -mconvert=raid1 /
For 3+ Drives use
RAID5
:sudo btrfs balance start -dconvert=raid5 -mconvert=raid1 /
-
Monitor balance status:
sudo btrfs balance status /
Once completed you should have a nice multi-drive setup 👏.