[Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems

Jernej Jakob jernej.jakob at gmail.com
Fri Apr 17 13:29:05 UTC 2020 

My attempts to install 20.04 beta desktop or 18.04 LTS netinstall expert
mode with full disk LUKS encryption failed.

1. Tried installing 20.04 Desktop ISO:
- selected manual partitioning
- created a single partition spanning the entire disk
- created a volume for encryption on the partition (LUKS)
- the LUKS was created, but there is no way to select the sda1_crypt volume as physical device for LVM. The option is absent from the list! So I go manually:
- exit out of the installation
- open a terminal, create the LVM VG and two LVs: root and swap
- start the installer again, now the LVM volumes are displayed
- select the root volume to be used as ext4 on /
- select swap LV to be used as swap
- proceed with installation normally, it finishes without errors.
- on reboot, grub drops to rescue shell, unable to find the "lvm" root disk. Probably due to missing GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub.

2. Tried the 18.04 LTS netinstall booted over PXE:
- selected Advanced options, Expert Install
- used manual partitioning to create the same "MBR->partition1->LUKS->LVM->LVs root and swap" layout as above.
- installation proceeds fine until the "Install GRUB bootloader to the master boot record", where it errors: "grub-install /dev/sda failed". I try different combinations of grub options here, none work. So I'm unable to create a bootable system.

I could probably make the 2nd way work if I switched to the console,
found out why it errors, fixed it, and installed it manually. But that's
not expected of a normal user!

So now, in 2020, we have no way to install Ubuntu without unencrypted
/boot. I have numerous machines that I either installed this way in the
past, or manually copied over installations to hand-created LUKS and
LVM, and with minor tweaks (chrooting into the copied system, adding
GRUB_ENABLE_CRYPTODISK=y and tweaking fstab and crypttab) I can get them
to boot fine.

I can swear this used to work on 14.04 and before, so this is a
regression!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1773457

Title:
  Full-system encryption needs to be supported out-of-the-box including
  /boot and should not delete other installed systems

Status in grub2 package in Ubuntu:
  Confirmed
Status in ubiquity package in Ubuntu:
  Confirmed

Bug description:
  In today's world, especially with the likes of the EU's GDPR and the
  many security fails, Ubuntu installer needs to support full-system
  encryption out of the box.

  This means encrypting not only /home but also both root and /boot. The
  only parts of the system that wouldn't be encrypted are the EFI
  partition and the initial Grub bootloader, for obvious reasons.

  It should also not delete other installed systems unless explicitly
  requested.

  On top of this, the previous method of encrypting data (ecryptfs) is
  now considered buggy, and full-disk encryption is recommended as an
  alternative. Unfortunately, the current implementation of full-disk
  encryption wipes any existing OS such as Windows, making the
  implementation unusable for most users.

  Now, using LUKS and LVM, it is already possible to have full-disk
  encryption (strictly, full-partition encryption because it leaves any
  existing OS alone), while encrypting /boot. Reference:

  https://help.ubuntu.com/community/ManualFullSystemEncryption

  ... but with one major limitation: Grub is incorrectly changed after
  an update affecting the kernel or Grub, so that a manual Grub update
  is required each time this happens (this is fully covered in the
  linked instructions).

  If the incorrect Grub change is fixed, it should be (relatively)
  simple to support full-system encryption in the installer.

  Further information (2018-08-17):

  The NCSC recommends, "Use LUKS/dm-crypt to provide full volume encryption."
  References:
  • https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guidehttps://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions

More information about the foundations-bugs mailing list