Ubuntu 25.10: Encrypted /boot With Btrfs & Debootstrap

Hey guys! Today, we're diving deep into the nitty-gritty of installing Ubuntu 25.10 with an encrypted /boot partition using Btrfs and debootstrap. If you're like me and value security and customization, this guide is for you. I know the existing instructions out there can be a bit outdated or just plain broken, so let’s get this sorted out step by step. We're going to make your Ubuntu installation secure and efficient. Trust me, it's worth the effort for the peace of mind and performance benefits. So grab your favorite beverage, open up your terminal, and let’s get started. We'll cover everything from setting up your partitions to configuring Grub and ensuring your system boots smoothly. By the end of this guide, you'll have a fully functional Ubuntu 25.10 system with an encrypted /boot partition, adding an extra layer of security to your setup. This method ensures that your system's boot process is protected from unauthorized access, keeping your data safe and secure. Remember to back up your data before proceeding with any system modifications.

Prerequisites

Before we get our hands dirty, let's make sure you have everything you need:

• A machine to install Ubuntu 25.10 on: Obviously!
• An Ubuntu 25.10 installation medium: This could be a USB drive or an ISO image.
• A stable internet connection: You'll need this for downloading packages.
• Basic knowledge of Linux commands: Knowing your way around the terminal is crucial.
• Patience: This process can be a bit involved, so take your time and double-check everything.
• Understanding of partitions and filesystems: Familiarity with concepts like ESP (EFI System Partition) and Btrfs is essential.

Having these prerequisites in place will ensure a smoother and more successful installation process. Make sure to download the necessary ISO image and create a bootable USB drive beforehand. A stable internet connection is vital for downloading the required packages during the installation. If you're new to Linux commands, consider brushing up on the basics before proceeding. This will help you understand the commands and troubleshoot any issues that may arise. Remember, patience is key. Take your time and follow the instructions carefully to avoid any errors.

Partitioning

First things first, let's set up our partitions. I'm assuming you're starting from scratch. If you have existing partitions, adjust accordingly.

1. EFI System Partition (ESP): This is where your bootloader will live. I recommend at least 512MB. Format it as FAT32.
2. /boot Partition: This is where your kernel and initramfs images will reside. We'll encrypt this, so make it large enough to accommodate future kernel updates (I'd say 1GB minimum).
3. Root Partition (/): This is where your main system files will be. You can allocate the remaining space to this. We'll format it as Btrfs.
4. Swap Partition/File: Depending on your preference, you can create a swap partition or a swap file. This is used for memory management.

Here’s a sample layout:

• /dev/sda1: ESP (512MB, FAT32)
• /dev/sda2: /boot (1GB, Encrypted)
• /dev/sda3: / (Remaining space, Btrfs)
• /dev/sda4: Swap (Optional)

Use a partitioning tool like fdisk, gdisk, or parted to create these partitions. Make sure to note down the partition names, as you'll need them later. When creating the ESP, set the appropriate flag to mark it as an EFI System Partition. For the /boot partition, remember to set up encryption using cryptsetup. The root partition should be formatted as Btrfs, and you can configure subvolumes as needed. If you choose to create a swap partition, format it using mkswap. Alternatively, you can create a swap file on your root partition.

Debootstrap

Now, let's use debootstrap to install the base system. Mount your root partition (e.g., /dev/sda3) to /mnt.

sudo mount /dev/sda3 /mnt

Next, use debootstrap to download and extract the necessary files:

sudo debootstrap jammy /mnt

Replace jammy with noble for Ubuntu 25.10, as noble is the codename for Ubuntu 25.10. This process will download the base system files and extract them to /mnt. Make sure you have a stable internet connection during this step. Once the process is complete, you'll have a minimal Ubuntu system installed on your root partition. This is the foundation upon which we'll build our fully functional Ubuntu system. Remember to double-check the codename to ensure you're installing the correct version of Ubuntu. Using the wrong codename can lead to compatibility issues and other problems.

Chroot and Configuration

It's time to chroot into your new system and configure it. But first, mount the necessary virtual filesystems:

sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
sudo mount -o bind /dev /mnt/dev
sudo mount -t devpts devpts /mnt/dev/pts

Now, chroot:

sudo chroot /mnt

Inside the chroot environment, set up your network configuration, hostname, and locale. Edit /etc/hostname to set your hostname. Configure your network interfaces in /etc/network/interfaces or use netplan. Set your locale by editing /etc/locale.gen and running locale-gen. Update your apt sources by editing /etc/apt/sources.list to point to the Ubuntu 25.10 repositories. Install essential packages like linux-image, grub-efi, cryptsetup, and btrfs-progs. Configure your timezone by running dpkg-reconfigure tzdata. Create a user account with a strong password. This user account will be used to log in to your system after the installation is complete.

Encrypting /boot

Now comes the tricky part: encrypting /boot. First, unmount the root partition and encrypt the /boot partition (e.g., /dev/sda2).

exit # Exit chroot
sudo umount /mnt/dev/pts
sudo umount /mnt/dev
sudo umount /mnt/sys
sudo umount /mnt/proc
sudo umount /mnt
sudo cryptsetup luksFormat /dev/sda2
sudo cryptsetup luksOpen /dev/sda2 boot
sudo mkfs.ext4 /dev/mapper/boot
sudo mount /dev/mapper/boot /mnt

Copy the kernel and initramfs images to the encrypted /boot partition. You can find these in /boot within your chroot environment. Update /etc/fstab to include the encrypted /boot partition. You'll need to add an entry for /dev/mapper/boot with the appropriate options. Generate a new initramfs image that includes the necessary modules for unlocking the encrypted /boot partition. This is crucial for ensuring that your system can boot properly. Update your bootloader configuration to include the encrypted /boot partition. This will involve modifying the Grub configuration file. Test the boot process in a virtual machine before deploying it to your physical machine.

Grub Configuration

Configuring Grub to handle the encrypted /boot is crucial. You'll need to modify /etc/default/grub and /etc/grub.d/40_custom.

In /etc/default/grub, add the following:

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:boot"

Update /etc/grub.d/40_custom to include the necessary commands to unlock the encrypted /boot partition. This will involve using the cryptomount command. Generate the Grub configuration file using update-grub. This will create the grub.cfg file that Grub uses to boot your system. Make sure to test the Grub configuration in a virtual machine before deploying it to your physical machine. This will help you identify and fix any issues before they cause problems on your actual system. Remember to back up your Grub configuration files before making any changes.

Final Steps

Before rebooting, make sure everything is in place. Double-check your /etc/fstab, Grub configuration, and initramfs image. Install Grub to the ESP:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Ubuntu
update-grub

Replace /boot/efi with the actual mount point of your ESP. Reboot your system and cross your fingers! If everything went well, you should be prompted for your encryption password before the Grub menu appears. Monitor the boot process closely for any errors. If you encounter any issues, you may need to boot into a live environment and troubleshoot the configuration files. Remember to back up your data before making any changes to your system.

Troubleshooting

If things go south (and sometimes they do), here are a few things to check:

• Initramfs: Make sure your initramfs image includes the necessary modules for unlocking the encrypted /boot partition.
• /etc/fstab: Double-check that your /etc/fstab file is correctly configured with the encrypted /boot partition.
• Grub Configuration: Verify that your Grub configuration file includes the necessary commands to unlock the encrypted /boot partition.
• ESP Mount Point: Ensure that your ESP is mounted correctly and that Grub is installed to the correct location.

Conclusion

There you have it! Installing Ubuntu 25.10 with an encrypted /boot partition using Btrfs and debootstrap is no walk in the park, but it's definitely achievable with careful planning and execution. This setup provides an extra layer of security for your system and ensures that your data is protected. Remember to back up your data before proceeding with any system modifications. If you have any questions or run into any issues, feel free to ask for help in the comments section. Happy hacking!