Preservation/kaiten-yaki
1
0
Fork 0
mirror of https://github.com/suikan4github/kaiten-yaki.git synced 2025-12-20 02:21:17 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Going to one-script solution

Browse source
This commit is contained in:
Suikan 2021-06-30 16:26:16 +09:00
parent eb6d3f2fee
commit f1d8ce77ed
10 changed files with 326 additions and 268 deletions
Download patch file Download diff file Expand all files Collapse all files

6
INSTALL-ubuntu.md → archive/INSTALL-ubuntu.md
View file

@ -88,7 +88,7 @@ Host Volume | Target Directory | Comment
C A U T I O N : After the Ubiquity installer starts the file copy, execute 2nd step script quickly before the installer finishes. C A U T I O N : After the Ubiquity installer starts the file copy, execute 2nd step script quickly before the installer finishes.
![Partitioning](image/ubuntu_partitioning.png) ![Partitioning](../image/ubuntu_partitioning.png)
## The second script ## The second script
Run the following script on the shell window, during the Ubiquity runs. Otherwise, Ubiquity fails at the end of installation. If you run this script too early, it terminates with error message. This is safe. Run it again later ( but before Ubiquity finish). Run the following script on the shell window, during the Ubiquity runs. Otherwise, Ubiquity fails at the end of installation. If you run this script too early, it terminates with error message. This is safe. Run it again later ( but before Ubiquity finish).
@ -98,12 +98,12 @@ C A U T I O N : Do not reboot at the end of Ubiquity installation. Click "contin
```bash ```bash
source 2-para-install.sh source 2-para-install.sh
``` ```
![Installing](image/ubuntu_installing.png) ![Installing](../image/ubuntu_installing.png)
## Click continue ## Click continue
As explained above, do not reboot. Click "Continue Testing". If you reboot at here, system will ask you the passphrase twice. As explained above, do not reboot. Click "Continue Testing". If you reboot at here, system will ask you the passphrase twice.
![Installing](image/ubuntu_done.png) ![Installing](../image/ubuntu_done.png)
## The third script ## The third script
After Ubiquity finish the installation, run the 3rd script. This is fully automatic. There is nothing you have to do. After Ubiquity finish the installation, run the 3rd script. This is fully automatic. There is nothing you have to do.

0
ubuntu/1-pre-install.sh → archive/ubuntu/1-pre-install.sh
View file

0
ubuntu/2-para-install.sh → archive/ubuntu/2-para-install.sh
View file

0
ubuntu/3-post-install.sh → archive/ubuntu/3-post-install.sh
View file

0
voidlinux/1-pre-install.sh → archive/voidlinux/1-pre-install.sh
View file

0
voidlinux/2-para-install.sh → archive/voidlinux/2-para-install.sh
View file

0
voidlinux/3-post-install.sh → archive/voidlinux/3-post-install.sh
View file

50
script/config.sh Normal file
View file

@ -0,0 +1,50 @@
# Configuration parameters for YaFDE
# Storage device to install the linux.
export DEV="/dev/sda"
# Whether you want to erase all contents of the storage device or not.
# 1 : Yes, I want to erase all.
# 0 : No, I don't. I want to add to the existing LUKS volume.
export ERASEALL=1
# Logical Volume name for your Linux installation. Keep it unique from other distribution.
export LVROOTNAME="ubuntu"
# Logical volume size of the Linux installation.
# 30% mean, new logical volume will use 30% of the free space in the LVM volume group.
# For example, assume the free space is 100GB, and LVROOTSIZE is 30%FREE. Script will create 30GB logical volume.
export LVROOTSIZE="50%FREE"
# Set the size of EFI partition and swap partition. The unit is Byte. you can use M,G... notation.
export EFISIZE="100M"
export LVSWAPSIZE="8G"
# Usually, these names can be left untouched.
# If you change, keep them consistent through all instllation in your system.
export CRYPTPARTNAME="luks_volume"
export VGNAME="vg1"
export LVSWAPNAME="swap"
# Void Linux only. Ignored in Ubuntu.
# The font size of the void-installer
export XTERMFONTSIZE=11
# !!!!!!!!!!!!!! DO NOT EDIT FOLLOWING LINES. !!!!!!!!!!!!!!
# Detect firmware type. 1 : EFI, 0 : BIOS
if [ -d /sys/firmware/efi ]; then
export ISEFI=1 # Yes, EFI
else
export ISEFI=0 # No, BIOS
fi # is EFI firmaare?
# Set partition number based on the firmware type
if [ ${ISEFI} -eq 1 ] ; then
# EFI firmware
export EFIPARTITION=1
export CRYPTPARTITION=2
else
# BIOS firmware
export CRYPTPARTITION=1
fi # EFI firmware

273
script/yafde-ubuntu.sh Normal file
View file

@ -0,0 +1,273 @@
#!/bin/bash
# Varidate whether script is executed as sourced or not
(return 0 2>/dev/null) && sourced=1 || sourced=0
if [ $sourced -eq 0 ] ; then
cat <<HEREDOC 1>&2
***** ERROR : Must execute as source *****
Execute as following :
source 1-pre-install.sh
Installation terminated.
HEREDOC
exit # use "exit" instead of "return", if not "sourced" execusion
fi # "sourced" validation
# Load configuration parameter
source config.sh
# ----- Confirmations -----
# Distribution check
uname -a | grep ubuntu -i > /dev/null
if [ $? -eq 1 ] ; then # "Ubuntu" is not found in the OS name.
echo "*********************************************************************************"
uname -a
cat <<HEREDOC
*********************************************************************************
This system seems to be not Void Linux, while this script is dediated to the Void Linux.
Are you sure you want to run this script for installation? [Y/N]
HEREDOC
read YESNO
if [ ${YESNO} != "Y" -a ${YESNO} != "y" ] ; then
cat <<HEREDOC 1>&2
Installation terminated.
HEREDOC
return
fi # if YES
fi # "Ubuntu" is not found in the OS name.
# For surre ask the config.sh is edited
echo "Did you edit config.sys? Are you ready to install? [Y/N]"
read YESNO
if [ ${YESNO} != "Y" -a ${YESNO} != "y" ] ; then
cat <<HEREDOC 1>&2
Installation terminated.
HEREDOC
return
fi # if YES
# For sure ask ready to erase.
if [ ${ERASEALL} -eq 1 ] ; then
echo "Are you sure you want to erase entire ${DEV}? [Y/N]"
read YESNO
if [ ${YESNO} != "Y" -a ${YESNO} != "y" ] ; then
cat <<HEREDOC 1>&2
Check config.sh. The variable ERASEALL is ${ERASEALL}.
Installation terminated.
HEREDOC
return
fi # if YES
fi # if erase all
# ----- Set Passphrase -----
# Input passphrase
echo "Type passphrase for the disk encryption."
read -sr PASSPHRASE
export PASSPHRASE
echo "Type passphrase again, to confirm."
read -sr PASSPHRASE_C
# Validate whether both are indentical or not
if [ ${PASSPHRASE} != ${PASSPHRASE_C} ] ; then
cat <<HEREDOC 1>&2
***** ERROR : Passphrase doesn't match *****
Installation terminated.
HEREDOC
return
fi # passphrase validation
# ----- Erase entire disk, create partitions, format them and encrypt the LUKS partition -----
if [ ${ERASEALL} -eq 1 ] ; then
# Assign specified space and rest of disk to the EFI and LUKS partition, respectively.
if [ ${ISEFI} -eq 1 ] ; then
# Zap existing partition table and create new GPT
echo "...Initialize ${DEV} with GPT."
sgdisk --zap-all "${DEV}"
# Create EFI partition and format it
echo "...Create an EFI partition on ${DEV}."
sgdisk --new=${EFIPARTITION}:0:+${EFISIZE} --change-name=${EFIPARTITION}:"EFI System" --typecode=${EFIPARTITION}:ef00 "${DEV}"
echo "...Format the EFI parttion."
mkfs.vfat -F 32 -n EFI-SP "${DEV}${EFIPARTITION}"
# Create Linux partition
echo "...Create a Linux partition on ${DEV}."
sgdisk --new=${CRYPTPARTITION}:0:0 --change-name=${CRYPTPARTITION}:"Linux LUKS" --typecode=${CRYPTPARTITION}:8309 "${DEV}"
# Then print them
sgdisk --print "${DEV}"
else
# Zap existing partition table
echo "...Erase partition table of ${DEV}."
dd if=/dev/zero of=${DEV} bs=512 count=1
# Create MBR and allocate max storage for Linux partition
echo "...Create a Linux partition on ${DEV} with MBR."
sfdisk ${DEV} <<HEREDOC
2M,,L
HEREDOC
fi # if EFI firmware
# Encrypt the partition to install Linux
echo "...Initialize ${DEV}${CRYPTPARTITION} as crypt partition"
printf %s "${PASSPHRASE}" | cryptsetup luksFormat --type=luks1 --key-file - --batch-mode "${DEV}${CRYPTPARTITION}"
fi # if erase all
# ----- Open the LUKS partition -----
# Open the crypt partition.
echo "...Open a crypt partition ${DEV}${CRYPTPARTITION} as \"${CRYPTPARTNAME}\""
printf %s "${PASSPHRASE}" | cryptsetup open -d - "${DEV}${CRYPTPARTITION}" ${CRYPTPARTNAME}
# Check whether successful open. If mapped, it is successful.
if [ ! -e /dev/mapper/${CRYPTPARTNAME} ] ; then
cat <<HEREDOC 1>&2
***** ERROR : Cannot open LUKS volume "${CRYPTPARTNAME}" on ${DEV}${CRYPTPARTITION}. *****
Check passphrase and config.txt
Installation terminated.
HEREDOC
return
fi # if crypt volume is unable to open
# ----- Configure the LVM in LUKS volume -----
# Check volume group ${VGNAME} exist or not
vgdisplay -s ${VGNAME} &> /dev/null
if [ $? -eq 0 ] ; then # is return value 0? ( exist ?)
echo "...Volume group ${VGNAME} already exist. Skipped to create. No problem."
else
echo "...Initialize a physical volume on \"${CRYPTPARTNAME}\""
pvcreate /dev/mapper/${CRYPTPARTNAME}
echo "...And then create Volume group \"${VGNAME}\"."
vgcreate ${VGNAME} /dev/mapper/${CRYPTPARTNAME}
fi # if /dev/volume-groupt not exist
# Create a SWAP Logical Volume on VG, if it doesn't exist
if [ -e /dev/mapper/${VGNAME}-${LVSWAPNAME} ] ; then
echo "...Swap volume already exist. Skipped to create. No problem."
else
echo "...Create logical volume \"${LVSWAPNAME}\" on \"${VGNAME}\"."
lvcreate -L ${LVSWAPSIZE} -n ${LVSWAPNAME} ${VGNAME}
fi # if /dev/mapper/swap volume already exit.
# Create a ROOT Logical Volume on VG.
if [ -e /dev/mapper/${VGNAME}-${LVROOTNAME} ] ; then
cat <<HEREDOC 1>&2
***** ERROR : Logical volume "${VGNAME}-${LVROOTNAME}" already exists. *****
Check LVROOTNAME environment variable in config.txt.
Installation terminated.
HEREDOC
return
else
echo "...Create logical volume \"${LVROOTNAME}\" on \"${VGNAME}\"."
lvcreate -l ${LVROOTSIZE} -n ${LVROOTNAME} ${VGNAME}
fi # if the root volun already exist
# ****************************** Para-install stage ******************************
# Start GUI installer
ubiquity &
# Store the PID of GUI installer
ubiquity_pid=$!
# While the /etc/default/grub in the install target is NOT existing,
# Keep sleeping
while [ ! -e /target/etc/default/grub ]
do
sleep 1 # 1sec.
done
# Perhaps, too neuvous. Wait 1 more sectond to avoid the rece condition.
sleep 1 # 1sec.
# Make target GRUB aware to the crypt partition
echo "...Add GRUB_ENABLE_CRYPTODISK entry to /target/etc/default/grub "
echo "GRUB_ENABLE_CRYPTODISK=y" >> /target/etc/default/grub
# Now, we just wait the end of installation by Ubiquity.
echo "...Waiting the for GUI installer finishes"
wait $ubiquity_pid
echo "...The return value of qubiquity is : " $?
# For surre ask the config.sh is edited
echo "Now, final stage. Do you continue? [Y/N]"
read YESNO
if [ ${YESNO} != "Y" -a ${YESNO} != "y" ] ; then
cat <<HEREDOC 1>&2
Installation terminated.
HEREDOC
return
fi # if YES
# ****************************** Post-install stage ******************************
# Varidate whether script is executed as sourced or not
(return 0 2>/dev/null) && sourced=1 || sourced=0
if [ $sourced -eq 0 ] ; then
cat <<HEREDOC 1>&2
***** ERROR : Must execute as source *****
Execute as following :
source 3-post-install.sh
Installation terminated.
HEREDOC
exit # use "exit" instead of "return", if not "sourced" execusion
fi # "sourced" validation
## Mount the target file system
# /target is created by the Ubiquity installer
echo "...Mount /dev/mapper/${VGNAME}-${LVROOTNAME} on /target."
mount /dev/mapper/${VGNAME}-${LVROOTNAME} /target
# And mount other directories
echo "...Mount all other dirs."
for n in proc sys dev etc/resolv.conf; do mount --rbind "/$n" "/target/$n"; done
# Change root and create the keyfile and ramfs image for Linux kernel.
echo "...Chroot to /target."
cat <<HEREDOC | chroot /target /bin/bash
# Mount the rest of partitions by target /etc/fstab
mount -a
# Set up the kernel hook of encryption
echo "...Install cryptsetup-initramfs package."
apt -qq install -y cryptsetup-initramfs
echo "...Register key file to the ramfs"
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
# Prepare a key file to embed in to the ramfs.
echo "...Prepair key file."
mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none
chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
# Add a key to the key file. Use the passphrase in the environment variable.
echo "...Add a key to the key file."
printf %s "${PASSPHRASE}" | cryptsetup luksAddKey -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile
# Add the LUKS volume information to /etc/crypttab to decrypt by kernel.
echo "...Add LUKS volume info to /etc/crypttab."
echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# Finally, update the ramfs initial image with the key file.
echo "...Upadte initramfs."
update-initramfs -uk all
# Leave chroot
exit
HEREDOC
# Finishing message
cat <<HEREDOC
****************** Post-install process finished ******************
...Ready to reboot.
HEREDOC

265
ubuntu_en.md
View file

@ -1,265 +0,0 @@
# Ubuntu 20.04LTS installation into the LVM on the LUKS volume.
This is a script corrections to help the installation of Ubuntu with the full disc encryption.
These scripts are designed to achieve followings :
- Using Ubiquity installer, for the ease of install.
- Automatic detection of BIOS/EFI firmware and create MBR/GPT, respectively.
- Install Ubuntu to the LVM/LUKS volume.
- The /boot is located in the same volume with the "/". Thus, /boot is also encrypted.
- The swap volume is located inside encrypted volume.
- Support multi-boot installation. You can reserve certain encrypted volume space for the other distribution.
By the configuration parameters, you can apply these scripts to relatively wide variation of the system.
For example, you can configure the system to accept 2, 3 or 4 distributions in a HDD/SSD, as you want.
Following is the HDD/SSD partitioning plan of these scripts ( In case of BIOS, the disk has MBR and doesn't have EFI partition).
![Partition Diagram](image/partition_diagram_0.png)
The logical volume size of each Linux distribution ($LVROOTSIZE) can be controlled from a configuration parameter.
As depicted the LVM volume group has only one physical volume.
# Test environment
These scripts are tested with following environment.
- VMWare Workstation 15.5.7 ( EFI/BIOS )
- Ubuntu 20.04.2 amd64 desktop
- Ubuntu Mate 20.04.2 amd64 desktop
# Preparation
This script is designed to use by copy-and-past to the shell (bash) window.
So, it is strongly recommended to prepare the net work connection, and show this
page and the shell window side-by-side
If it is impossible, you may want to copy these scripts into a USB memory
and jack into your machine, during the installation, to allow the copy-and-paste.
# Installation
Follow the steps below.
## Preparation of shell window
First of all, promote the shell to root. Almost of the procedure requires root privilege.
```bash
# Promote to the root user
sudo -i
```
## Input Passphrase
Input a passphrase to lock your crypt system. This passphrase is required to type when GRUB starts.
The passphrase is recorded as an environment variable to refuge the type multiple time without error.
```bash
# Setup the passphrase of the crypt partition
read -sr PASSPHRASE
```
## Configuration parameters
This is very critical part of the installation. Following is a set of parameter for the configuration of :
- Install to **/dev/sda**.
- In case of EFI firmware, 100MB is allocated to the EFI partition.
- Rest of the disk space is assigned to the LUKS volume.
- Create and logical volume group named "vg1" in the encrypted volume.
- Create a swap logical volume named "swap" in the "vg1". The size is 8GB.
- Create a logical volume named **"ubuntu"** for / in the "vg1". The size of the **50%** of the entire free space.
If you don't like above configuration, you can modify the following parameter before pasting to the shell window.
Note : EFI/BIOS detection is done automatically.
```bash
# Storage device to install the linux.
export DEV="/dev/sda"
# Whether you want to erase all contents of the storage device or not.
# 1 : Yes, I want to erase all.
# 2 : No, I want to add to the existing Linux distributions.
export ERASEALL=1
# Logical Volume name for your Linux installation. Keep it unique from other distribution.
export LVROOTNAME="ubuntu"
# Logical volume size of the Linux installation.
# 50% mean, new logical volume will use 50% of the free space in the LVM volume group.
export LVROOTSIZE="50%FREE"
# Set the size of EFI partition and swap partition. The unit is Byte. you can use M,G... notation.
export EFISIZE="100M"
export LVSWAPSIZE="8G"
# Usually, these names can be left untouched.
export CRYPTPARTNAME="luks_volume"
export VGNAME="vg1"
export LVSWAPNAME="swap"
# DO NOT touch following lines.
# export to share with entire script
export PASSPHRASE
# Detect firmware type. 1 : EFI, 0 : BIOS
if [ -d /sys/firmware/efi ]; then
export ISEFI=1
else
export ISEFI=0
fi
# Set partition number based on the firmware type
if [ ${ISEFI} -eq 1 ] ; then
# EFI system
export EFIPARTITION=1
export CRYPTPARTITION=2
else
# BIOS system
export CRYPTPARTITION=1
fi
```
## Format the disk and encrypt the LUKS partition
C A U T I O N : Following script destroys all the data in your disk. Make sure you want to destroy all.
If you want to add a new distribution to the existing distribution, following script block must be skipped.
The GPT for EFI, MBR for BIOS is created.
```bash
if [ ${ERASEALL} -eq 1 ] ; then
# Optional : Create partitions for in the physical disk.
# Assign specified space and rest of disk to the EFI and LUKS partition, respectively.
if [ ${ISEFI} -eq 1 ] ; then
# Zap existing partition table and create new GPT
sgdisk --zap-all "${DEV}"
# Create EFI partition and format it
sgdisk --new=${EFIPARTITION}:0:+${EFISIZE} --change-name=${EFIPARTITION}:"EFI System" --typecode=${EFIPARTITION}:ef00 "${DEV}"
mkfs.vfat -F 32 -n EFI-SP "${DEV}${EFIPARTITION}"
# Create Linux partition
sgdisk --new=${CRYPTPARTITION}:0:0 --change-name=${CRYPTPARTITION}:"Linux LUKS" --typecode=${CRYPTPARTITION}:8309 "${DEV}"
# Then print them
sgdisk --print "${DEV}"
else
# Zap existing Mpartition table
dd if=/dev/zero of=${DEV} bs=512 count=1
# Create MBR and allocate max storage for Linux partition
sfdisk ${DEV} <<EOF
2M,,L
EOF
fi
# if EFI firmware
# Encrypt the partition to install Linux
printf %s "${PASSPHRASE}" | cryptsetup luksFormat --type=luks1 --key-file - --batch-mode "${DEV}${CRYPTPARTITION}"
fi
# if erase all
```
## Open the LUKS partition
You have to opened the LUKS partition here for the subsequent tasks.
```bash
# Open the created crypt partition. To be sure, input the passphrase manually
printf %s "${PASSPHRASE}" | cryptsetup open -d - "${DEV}${CRYPTPARTITION}" ${CRYPTPARTNAME}
# Check whether successful open. If mapped, it is successful.
if [ ! -d /dev/mapper/${CRYPTPARTNAME} ] ; then
echo "!!!!!!!!!!!! ERROR : Cannot open LUKS volume ${CRYPTPARTNAME} on ${DEV}${CRYPTPARTITION}. !!!!!!!!!!!!"
echo "Check the passphrase"
# exit 1
fi
```
## Configure the LVM in LUKS volume
The swap volume and / volume is created here, based on the given parameters.
```bash
# Create the Physical Volume and Volume Group.
pvcreate /dev/mapper/${CRYPTPARTNAME}
vgcreate ${VGNAME} /dev/mapper/${CRYPTPARTNAME}
# Create a SWAP Logical Volume on VG, if it doesn't exist
if [ ! -d /dev/mapper/${VGNAME}-${LVSWAPNAME} ] ; then
lvcreate -L ${LVSWAPSIZE} -n ${LVSWAPNAME} ${VGNAME}
else
echo "Swap volume already exist. Skipped to create"
fi
# Create the ROOT Logical Volume on VG.
if [ ! -d /dev/mapper/${VGNAME}-${LVROOTNAME} ] ; then
lvcreate -l ${LVROOTSIZE} -n ${LVROOTNAME} ${VGNAME}
else
echo "!!!!!!!!!!!! ERROR : Logical volume ${VGNAME}-${LVROOTNAME} already exists. !!!!!!!!!!!!"
echo "Check LVROOTNAME environment variable."
# exit 1
fi
```
## Run the Ubiquity installer
Open the Ubiquity installer, configure and run it. Ensure you map the followings correctly.
Host Volume | Target Directory | Comment
-----------------------|------------------|-------------------------------------------------
/dev/sda1 | /boot/efi | EFI system only. Do not map this if BIOS system.
/dev/mapper/vg1-ubuntu | / | Host volume name is up to your configuration.
/dev/mapper/swap | swap | Only the first distribution need to map this.
C A U T I O N : After the Ubiquity installers start the file copying, execute next script quickly before the installer finishes.
![Partitioning](image/ubuntu_partitioning.png)
## Configure the target GRUB during the Ubiquity runs
Run the following script on the shell window, during the Ubiquity runs. Otherwise, Ubiquity fails at the end of installation.
C A U T I O N : Do not reboot at the end of Ubiquity installation. Click "continue".
```bash
# Make target GRUB aware to the crypt partition
echo "GRUB_ENABLE_CRYPTODISK=y" >> /target/etc/default/grub
```
![Installing](image/ubuntu_installing.png)
## Click continue
As noted above, do not reboot. Click "Continue Testing". If you reboot at here, system will ask you the passphrase twice.
![Installing](image/ubuntu_done.png)
## Mount the target file system
After Ubiquity finish the installation, mount the target directories and chroot to that.
```bash
# /target is created by the Ubiquity installer
mount /dev/mapper/${VGNAME}-${LVROOTNAME} /target
# And mount other directories
for n in proc sys dev etc/resolv.conf; do mount --rbind "/$n" "/target/$n"; done
# Change root
chroot /target /bin/bash
```
## Add auto decryption to the target kernel
Now, we are at critical phase. To avoid system asks passphrase twice,
we have to embed the encryption key inside ramfs initial image.
This image with key is stored in the LUKS volume, so, it is in the safe storage.
GRUB decrypt this LUKS volume, upload the ramfs image to the RAM,
and pass it to the booted Linux kernel as memory pointer.
As a result, GRUB can pass the encryption key to Linux kernel as safe way.
```bash
# Mount the rest of partitions by target /etc/fstab
mount -a
# Set up the kernel hook of encryption
apt install -y cryptsetup-initramfs
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
# Prepare a key file to embed in to the ramfs.
mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
# Add a key to the key file. Use the passphrase in the environment variable.
printf %s "${PASSPHRASE}" | cryptsetup luksAddKey -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile
# Add the LUKS volume information to /etc/crypttab to decrypt by kernel.
echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
# Finally, update the ramfs initial image with the key file.
update-initramfs -uk all
```
## Finishing installation
Done!!
You can reboot. Linux and GRUB are installed in a encrypted storage. The system will ask you the passphrase only once when GRUB starts.
```bash
exit
reboot
```
# Acknowledgments
These scripts are based on the script shared on the [myn's diary](https://myn.hatenablog.jp/entry/install-ubuntu-focal-with-lvm-on-luks). That page contains rich information, hint and techniques around the encrypted volume and Ubiquity installer.