[Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems

Mon Dec 3 19:50:10 UTC 2018

*** This bug is a duplicate of bug 1514120 ***
    https://bugs.launchpad.net/bugs/1514120

I would like to support this bug report from the perspective of a security oriented, pragmatic user, likely the kind of which there are plenty out there. 

Ubuntu's great success has been and will be based on how user friendly it is, and an overwhelming majority of the people who are looking at security just want their whole system encrypted. Also in dual boot scenarios. Windows for general purpose, Ubuntu for security relevant tasks such as banking or sensitive administration. A wide-spread usecase.

Confronting them with exceptions such as an unencrypted /boot partition,
disabling encryption in dual boot scenarios or any other unnecessary
complications will just lower Ubuntu's acceptance in an increasingly
security aware user world.

Academic discussions about whether or not encryption has been designed
for tamper resistance just misses the point. Fact is that it does
increase it. Think of someone who breaches my Windows installation, and
discovers the parallel Ubuntu installation. They either just see one big
chunk of random data, or they see a clear-text /boot partition they can
play with. This is one unnecessary attack vector, no matter how easy or
hard it is to use.

I do not remember a single argument in this whole history against /boot
encryption that mentions a real disadvantage of the functionality. Yes,
there may be alternatives. No, it does not make a system perfectly safe.
But it helps, and not implementing it is like not implementing RAID
because one wants to force users to create backups.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1773457

Title:
  Full-system encryption needs to be supported out-of-the-box including
  /boot and should not delete other installed systems

Status in grub2 package in Ubuntu:
  Confirmed
Status in ubiquity package in Ubuntu:
  Incomplete

Bug description:
  In today's world, especially with the likes of the EU's GDPR and the
  many security fails, Ubuntu installer needs to support full-system
  encryption out of the box.

  This means encrypting not only /home but also both root and /boot. The
  only parts of the system that wouldn't be encrypted are the EFI
  partition and the initial Grub bootloader, for obvious reasons.

  It should also not delete other installed systems unless explicitly
  requested.

  On top of this, the previous method of encrypting data (ecryptfs) is
  now considered buggy, and full-disk encryption is recommended as an
  alternative. Unfortunately, the current implementation of full-disk
  encryption wipes any existing OS such as Windows, making the
  implementation unusable for most users.

  Now, using LUKS and LVM, it is already possible to have full-disk
  encryption (strictly, full-partition encryption because it leaves any
  existing OS alone), while encrypting /boot. Reference:

  https://help.ubuntu.com/community/ManualFullSystemEncryption

  ... but with one major limitation: Grub is incorrectly changed after
  an update affecting the kernel or Grub, so that a manual Grub update
  is required each time this happens (this is fully covered in the
  linked instructions).

  If the incorrect Grub change is fixed, it should be (relatively)
  simple to support full-system encryption in the installer.

  Further information (2018-08-17):

  The NCSC recommends, "Use LUKS/dm-crypt to provide full volume encryption."
  References:
  • https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guide
  • https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions