Ubuntu Pro is a subscription service which provides an extra layer of security and compliance features to Ubuntu LTS derivatives like Kubuntu. Features such as Extended Security Maintenance (ESM) and LivePatching provide the greatest benefit in long-lived server environments.
Kubuntu Focus DOES NOT SUPPORT the use of Ubuntu Pro with free support. Focus customers with a paid MSP contract, however, can choose Pro support for their servers or fleets.
When upgrading packages from the CLI, you might see a message like the following, encouraging you to enable Ubuntu Pro:
You can toggle the message as shown below:
In a terminal, type
pro status. If you see
This machine is not attached to an Ubuntu Pro subscription, then Ubuntu Pro is NOT enabled.
If you have enabled Ubuntu Pro and used many of its features, rolling back can be difficult. For example, using
ppa-purge to remove the two Pro repositories reportedly removes important system files. If that is the case, then it's probably best to back up your data and perform a clean install. Below is a non-exhaustive list of steps you might need to do otherwise:
apt list --installed |grep -- '-esm'
apt-cache policy ffmpeg
Visit the Welcome Wizard to change your encrypted disk passphrase using a GUI. Whenever you change the passphrase, type it carefully and keep a copy somewhere safe because THERE IS NO WAY TO RECOVER THE DISK IF THE PASSPHRASE IS LOST!
You can also change the passphrase using the command line as shown below:
Two keys are used for normal encryption, and three if using a YubiKey. Typically, slot 0 is your passphrase, slot 1 is a randomly generated string created by the installer, and slot 3 is used by YubiKey. Slot 2 is a remnant of the installer, and is not generally useful. You may see all the slots, find the one using your passphrase, and carefully remove slots using the following:
Make sure your data is backed up before changing or removing keys. Use the
luksDump command as shown above to ensure the slot has been removed.
If you purchased a pre-configured YubiKey you won’t need this except to change your password. The YubiKey documentation may be found at here.
Insert the YubiKey into a USB slot. The center LED should flash once. It will not stay illuminated. As you use the key, the LED will flash under other circumstances.
/etc/ykluks.cfg file should be fine. However, you may customize it as you see fit.
Enroll your YubiKey to a LUKS slot:
Enter an EXISTING disk passphrase.
/etc/crypttab to include the
keyscript option as shown. IMPORTANT! THE DISK UUID YOU SEE WILL BE DIFFERENT - DO NOT CHANGE IT! Also make sure the entry is on a single line in the file, even if it wraps in the codeblock below.
You can verify or recover the UUID by using
lsblk --fs |grep 'crypto_LUKS' and then using the uuid of the correct volume. The partion for standard installations is typically
Reboot and insert YubiKey on the initial passphrase screen to test your password. You should be able to use your YubiKey passphrase or your regular passphrase. We suggest you always keep the first passphrase but ensure it is long and complex. This provides a method to use the system even if you lose your YubiKey. As always, store your passphrases safely.
Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.
Secure Shell (SSH) is a versatile tool. One can use it for remote access, port forwarding, tunneling, and secure file transfers. Many graphical tools support SSH. For example, the Dolphin file manager, can use
SFTP for secure file transfers. A default configuration is provided and annotated in
.ssh/config for all new users. You may study it to see how to maintain constant connection and add shortcuts for specific hosts.
OpenVPN is installed so you can easily access a common Virtual Private Network solution. Many other VPN clients are available by their developers. To provide secrets to the Fortinet VPN client, see the this section of the Passwords Managemet guide.
Content will be added as needed.
This is a partial revision history. See the
git repository for all entries.
2023-11-20 3fc7cb1fExpand Ubuntu Pro details
2023-11-18 e770b1c6Add search and help bar
2023-06-27 e4a03c44Include cross-over section on passwords
2023-06-26 b8a2a1c3Add link for Fortinet secrets
2023-06-16 e256ff30Add Ubuntu Pro section
2023-06-16 d70a49d8Update LUKS key info
2023-04-26 d70a49d8Add Ir14 details
2022-07-25 37da0b4fEnhance YubiKey directions
2021-10-10 5728326eReformat to 2-column
2021-09-22 dc862884Update link and headline colors
2021-08-23 681261b4Review and update codeblocks
2021-08-20 ca2282bfAdd YubiKey details
2021-03-13 e0214298Update YubiKey; Add autoremove advice
2020-06-10 c4ed9299Restructure layout
2020-06-08 a963ce3fFirst publication
We try hard to provide a useful solution validated by professionals. However, we cannot anticipate every situation, and therefore cannot guarantee this procedure will work for your needs. Always backup your data and test the solution to determine the correct procedure for you.
THIS SOLUTION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOLUTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.