Dual booting Windows 11 and Ubuntu 22.04 LTS with LUKS and TPM2 encryption

Make sure to think about data backup before you proceed with the below guide.

Tested on HP Elitebook 840 G6 in April 2024.

Bootable USB disk preparation

There are various options for creating a bootable USB drive.

USB Flash Drive

Pros:
- Small form factor
- Potentially low cost
Cons:
- Slow I/O, particularly write speeds (5-10 MB/s)
- Faster models can be expensive
- Limited lifespan

M.2 SSD + External Enclosure

Pros:
- Fast I/O (200 - 500 MB/s)
- Second-hand SSDs are affordable
- Longer lifespan compared to USB drives, with SMART monitoring
Cons:
- External enclosure cost may increase overall expenditure compared to a simple USB drive.

Several hints to choose good enclosure:

Enclosure with USB type C will be faster
Often you need a screwdriver to change the SSD. Tool free enclosures are better and usually costs the same
Realtek RTL9210B is good and reliable chipset for enclosure

Recommended external enclosure: Sabrent EC-SNVE

Any inexpensive M.2 SSD would suffice to create bootable USB disk

Bootable USB disk creation

Numerous programs can create a bootable USB from an ISO file:

Rufus - Windows only
balenaEtcher
Windows Media Creation Tool

A significant issue with these tools is that each time a new ISO is required, the USB must be reformatted. An alternative solution is Ventoy:

USB is formatted only once
New ISOs can be simply copied to the disk
The required ISO is selected during boot time
Additionally, it may be helpful to create an extra small reserved space partition to easily mount it and store something from the live boot systems.

Steps to create bootable installation USB stick

Download Ventoy
Create bootable USB drive
Download Winsows 11 / Ubuntu and other ISOs
Copy ISO to the Ventoy USB disk
Now you can reboot, select USB as boot device and choose what ISO to boot

Install Windows 11

Key steps of the installation process:

Disabling secure boot may be helpful.
Boot from the USB disk.
During installation, select Custom installation.
Create one partition:
- Keep some free space to install Ubuntu later.
- Windows will propose creating two extra partitions for EFI and recovery. There's no need to overcomplicate your life by creating partitions manually.
Once installation is completed, it's good to install all updates.
Initially, Bitlocker is disabled, and it's advisable to enable it after Linux installation. Otherwise, a recovery key for Bitlocker will be required.

Install Ubuntu

The current guide doesn't encrypt the boot disk. It is possible to encrypt both / (root) and /boot partitions. Following guide has steps to encrypt everything except EFI, but there are limitations:

Grub2 supports only LUKS1 with PBKDF2 encryption vs Argon2 and other features of LUKS2.
There is a 5-10 seconds decryption delay after entering the password.
The password is requested before the Grub menu is displayed, so it is asked even if you are going to boot into Windows. As a workaround, it is possible to select another bootloader via BIOS boot menu. But when Windows is loaded via a different flow than previously, Bitlocker will request the key.

Install Ubuntu 22.04 alongside Windows 11

A separate /boot partition is needed, and it should not be encrypted. Root, users' /home, and other partitions can be encrypted.

Boot from the USB disk.
Select Try or Install Ubuntu in Grub.
Select Try Ubuntu. Do not run the installation immediately. It is required to prepare the encrypted disk first.
Use GParted or Disks to create partitions:
- /boot - 768 MB size ext4
- / - root partition with LUKS encryption. Set a simple password first. Once all setup is done and everything is working, you will set a strong password. Add LVM or plain ext4 inside the LUKS.
- swap can be stored as a file in the encrypted root partition.

Review what you have created.

lsblk -f

lsblk disk partitions example

nvme0n1                                                                                             
├─nvme0n1p1
│          vfat   FAT32                         8607-661C                                           
├─nvme0n1p2
│                                                                                                   
├─nvme0n1p3         -- windows
│          BitLoc 2                                                                                 
├─nvme0n1p4         -- windows recovery
│          ntfs                                 A6EC4E8EEC4E5927                                    
├─nvme0n1p5
│          ext4   1.0   /boot                   58cd424f-63fa-402a-85aa-d26db9485937                
└─nvme0n1p6
          crypto 2                             aae8e0e4-786b-4ac3-b69a-10b2874dc49e                
  └─luks-aae8e0e4-786b-4ac3-b69a-10b2874dc49e
          ext4   1.0   rootfs                  c49fbe2b-6d73-400e-9962-ca5a8138ad42

Connect to WiFi.
Run the Ubuntu installation and select:
- Normal installation
- Install updates during installation
- Install 3rd-party drivers
Select the "custom installation process".
All partitions were previously created; it is required to choose them:
- Select /boot partition with mount point /boot.
- Select /dev/mapper/luks-aae8e0e4-786b-4ac3-b69a-10b2874dc49e for the root partition and specify / as the mount point.
- Double-check the device for bootloader installation.
Proceed with the installation. Do not reboot at the end.

Mount the root & boot partitions and chroot into it:

sudo mount /dev/mapper/luks-aae8e0e4-786b-4ac3-b69a-10b2874dc49e /mnt
sudo mount /dev/nvme0n1p5 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts

Find the UUID of the LUKS partition via lsblk -f or sudo blkid /dev/nvme0n1p6.

Create /etc/crypttab. Provide the UUID of the LUKS partition.

sudo nano /etc/crypttab

Content of the /etc/crypttab:

# <target name> <source device> <key file> <options>
# options used:
#     luks    - specifies that this is a LUKS encrypted device
#     discard - allows SSD TRIM command, WARNING: potential security risk (more: "man crypttab")
rootfs   UUID=aae8e0e4-786b-4ac3-b69a-10b2874dc49e   none   luks,discard

Verify the proper mapping between /etc/crypttab and /etc/fstab and update /dev/mapper/rootfs if needed:

nano /etc/fstab

/etc/fstab example

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/rootfs    /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p5 during installation
UUID=f9365fe8-7b8a-41c4-9111-a8e250f73eca /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=8607-661C  /boot/efi       vfat    umask=0077      0       1

Update initramfs. Make sure there are no errors otherwise your setup may fail to boot. In case of errors review the configuration files. You might have some typo.
```
sudo update-initramfs -k all -c
```
Reboot if you had no errors on previous step.

Finish Encryption Setup for Ubuntu Partition

Check which keyslots are in use:

sudo systemd-cryptenroll /dev/nvme0n1p6

Add extra passwords if needed:

sudo systemd-cryptenroll /dev/nvme0n1p6 --password

Create a recovery key:

sudo systemd-cryptenroll --recovery-key /dev/nvme0n1p6

Test passwords and recovery keys:

sudo cryptsetup --verbose open --test-passphrase /dev/nvme0n1p6

Reboot and verify that the new key was enrolled.

Remove all unnecessary passwords:

systemd-cryptenroll /dev/nvme0n1p6 --wipe-slot=<slot number>

TPM2 Security Issues

TPM2 may introduce additional security issues. See the links below:

TPM2 Support in Ubuntu

The main challenge with auto-decrypting via TPM password is that Ubuntu 22.04 uses an older dracut version, 054-1. This version doesn't have tpm2-tss module. To implement a simple workaround solution, a few additional modules files should be utilized from a more recent dracut build.

Install the required packages:

sudo apt install tpm2-tools tss2 dracut libcurl4 libjson-c5 libtss2-fapi1 libtss2-tcti-cmd0 libtss2-tcti-device0 libtss2-tcti-mssim0 libtss2-tcti-swtpm0

Ensure TPM2 is available:

systemd-cryptenroll --tpm2-device=list

Sample output when everything is okay:

PATH        DEVICE     DRIVER 
/dev/tpmrm0 IFX0785:00 tpm_tis

Sample output in case of missing TPM2 or errors:
```
TPM2 support is not installed.
```

Enroll in both the TPM and the LUKS volume:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+11+14 /dev/nvme0n1p6

Add TPM2 modules from a recent dracut build.
- Download dracut-059 release and unzip or find the required module files on dracut github
- Below folders should be copied and added into the local folder /usr/lib/dracut/modules.d/
```
01systemd-sysusers
01systemd-udevd
91tpm2-tss
```

Add the tpm2-tss module dependency into dracut:

echo "add_dracutmodules+=\" tpm2-tss \"" | sudo tee /etc/dracut.conf.d/tpm2.conf
add_dracutmodules+=" tpm2-tss "

Add tpm2-device=auto into /etc/crypttab according to the example:

rootfs   UUID=aae8e0e4-786b-4ac3-b69a-10b2874dc49e   none   tpm2-device=auto,luks,discard

Build the initramfs image using dracut:

sudo dracut -f

Ensure there are no errors:

dracut: dracut module 'tpm2-tss' cannot be found or installed.

Check the resulting images. In the example below, image 26 is old and unchanged when image 27 is built with dracut. It should be safe to boot with the older kernel in case of any issues with the TPM2 setup.

ls -la /boot

/boot images example

drwx------  4 root root      1024 Jan  1  1970 efi
drwxr-xr-x  5 root root      4096 Apr 13 19:43 grub
lrwxrwxrwx  1 root root        27 Apr 13 18:41 initrd.img -> initrd.img-6.5.0-27-generic
-rw-r--r--  1 root root 129857748 Apr  2 19:49 initrd.img-6.5.0-26-generic
-rw-r--r--  1 root root         0 Apr 13 19:06 initrd.img-6.5.0-26-generic.new
-rw-r--r--  1 root root  23802175 Apr 13 21:32 initrd.img-6.5.0-27-generic
lrwxrwxrwx  1 root root        27 Apr 13 18:39 initrd.img.old -> initrd.img-6.5.0-26-generic

TPM2 Setup Troubleshooting

If you encounter issues during reboot, you may attempt to boot using an older kernel:
- Once booted, you can remove dracut:
```
sudo apt remove dracut
```
- Rebuild the initramfs:
```
sudo update-initramfs -k all -c
```
- Update configurations and try again:
```
sudo dracut -f
```

In the worst case, boot from the live USB and mount the encrypted partition:

sudo cryptsetup open /dev/nvme0n1p6 rootfs

Next, chroot so you can uninstall dracut or attempt to fix your setup:

sudo mount /dev/mapper/rootfs /mnt
sudo mount /dev/nvme0n1p5 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts

TPM2 Auto Login Not Working After an Update

In my case, either a major Windows update or, most likely, a BIOS update broke automatic login via TPM2. Luckily, I had password login set up and was able to log in easily when prompted to enter my password.

To fix this issue, you simply need to re-enroll TPM2.

List the slots that are in use:

systemd-cryptenroll /dev/nvme0n1p6

You will see something similar to the following:

SLOT TYPE
   0 password
   1 password
   2 tpm2
   3 recovery

Be very careful when wiping the old TPM2 slot:

systemd-cryptenroll /dev/nvme0n1p6 --wipe-slot=2

Confirm that the slot is empty:
```
systemd-cryptenroll /dev/nvme0n1p6
```

Re-enroll the TPM2 key:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+11+14 /dev/nvme0n1p6

Check the result of the enrollment. You should now see that TPM2 is in use again:
```
systemd-cryptenroll /dev/nvme0n1p6
```
Reboot, and TPM2 should now be working.

kirbah/dual-boot-windows-and-ubuntu-with-luks-tpm2-encryption.md