[Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems
Xavier Gnata
xavier.gnata at gmail.com
Fri Mar 27 10:10:50 UTC 2020
Any chance to see a fix in 20.04?
We need to be able to encrypt (k)ubuntu data when ubuntu is installed alongside windows.
/home encrytion was not perfect but it was better than nothing.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1773457
Title:
Full-system encryption needs to be supported out-of-the-box including
/boot and should not delete other installed systems
Status in grub2 package in Ubuntu:
Confirmed
Status in ubiquity package in Ubuntu:
Confirmed
Bug description:
In today's world, especially with the likes of the EU's GDPR and the
many security fails, Ubuntu installer needs to support full-system
encryption out of the box.
This means encrypting not only /home but also both root and /boot. The
only parts of the system that wouldn't be encrypted are the EFI
partition and the initial Grub bootloader, for obvious reasons.
It should also not delete other installed systems unless explicitly
requested.
On top of this, the previous method of encrypting data (ecryptfs) is
now considered buggy, and full-disk encryption is recommended as an
alternative. Unfortunately, the current implementation of full-disk
encryption wipes any existing OS such as Windows, making the
implementation unusable for most users.
Now, using LUKS and LVM, it is already possible to have full-disk
encryption (strictly, full-partition encryption because it leaves any
existing OS alone), while encrypting /boot. Reference:
https://help.ubuntu.com/community/ManualFullSystemEncryption
... but with one major limitation: Grub is incorrectly changed after
an update affecting the kernel or Grub, so that a manual Grub update
is required each time this happens (this is fully covered in the
linked instructions).
If the incorrect Grub change is fixed, it should be (relatively)
simple to support full-system encryption in the installer.
Further information (2018-08-17):
The NCSC recommends, "Use LUKS/dm-crypt to provide full volume encryption."
References:
• https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guide
• https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions
More information about the foundations-bugs
mailing list