4

I've just installed Ubuntu 20.04 on my machine, choosing the option to Erase disk and install ubuntu with the advanced option Use LVM with the new Ubuntu installation with encryption. Installation went fine but now when I boot I'm greeted by the GRUB console.

Only way to login is to enter the exit command in the GRUB console.
I'm then prompted with the message : Please unlock disk sda6_crypt, upon entering the password the login screen opens up and all is fine.

My question is : is there no way to bypass this step and go straight for the login screen without entering the GRUB console and having to insert the disk cryptography secret everytime?

MFranc
  • 143
  • 1
    If you installed with encryption, the encryption would be pointless if you can get to the login screen without decryption. To get your system booted to the point where login is operating, a lot of your file-system would need to be visible (meaning unencrypted). An encrypted $HOME directory allows for you to get to the login screen (and only user files are encrypted, not system files allowing the code before login to be run), but it reads like you opted for full disk encryption which requires key to unlock before you can boot. – guiverc Oct 09 '20 at 08:44
  • FYI: My current desktop has encrypted $HOME (an older Ubuntu install), so anyone can turn it on and get to the login/greeter screen (they just can't read my files within my $USER directory). However for any laptop or device that isn't bound to a desk, I use full-disk encryption. – guiverc Oct 09 '20 at 08:47
  • @guiverc Ah well damn so it is actually the feature, neat bit more security. Thanks a lot, thinking about it makes perfect sense. Might be overkill for my personal setup tho. Would you like to post the comments as an answer so I can close the thread?Thanks again – MFranc Oct 09 '20 at 08:56
  • 1
    @guiverc I believe MFranc is actually bringing up a real problem when GRUB is not working quite right. You shouldn't have to type exit to get past this screen. If the only OS is Ubuntu, GRUB shouldn't be shown at all. But yes, for full disk encryption, the decryption password must be entered on the prompt: Please unlock disk sdx#_crypt – Nmath Oct 22 '20 at 05:26
  • @Nmath, yeah you have a great point. A groovy Lubuntu (Full Disk Encryption) install made a couple of hours ago reboots on entering exit at GNU GRUB grub> prompt (/boot/ is encrypted so it can't be read so you to get past the grub screen with exit; as FDE (full disk encryption) means boot is encrypted so without key /boot/ can't be read and grub can't possibly show. In fact an exit on my groovy screen you showed caused a reboot (& jump into uEFI settings for box). I've been told Lubuntu is slightly different, but I don't have enough knowledge to assist, nor an encrypted non-Lubuntu – guiverc Oct 22 '20 at 06:14
  • @Nmath Thanks for your comment. It is strange, from a user perspective, to manually exit from the grup console everytime. When you boot dose it enter the grub console automatically?If so, how do you avoid exiting everytime?And yes, ubuntu 20.04 is the only os present. – MFranc Oct 22 '20 at 07:35
  • 1
    @guiverc - that's not how full disk encryption is supposed to work... GRUB is broken here. GRUB should pass off immediately to the decryption prompt and shouldn't even show up unless a dual boot config. In that case you would get choice of boot. Any time you have a command prompt @ GRUB, that's a problem MFranc: go over the link I posted in my comment. You probably need to repair GRUB. Maybe that's all you need to do. Maybe your EFI partition was already "messy" before you installed Ubuntu. Did you format the disk ahead of time? (You should) – Nmath Oct 22 '20 at 16:08
  • @guiverc - GRUB is not encrypted @ neither are the tools needed to decrypt the root file system. If it was, it would be impossible to boot and decrypt the volume at all. The author of this question can boot their device and they can get to the decryption prompt before the file system is decrypted so the problem isn't that these tools are encrypted, it's that GRUB is messed up. Boot sequence should be automatic until user input is actually needed. In this case, boot should only pause when waiting for decryption key – Nmath Oct 22 '20 at 16:14

1 Answers1

2

If you installed with encryption, that encryption would be pointless if you can get to the login screen without decryption.

To get your system booted to the point where login is operating, a lot of your file-system would need to be visible (meaning unencrypted).

An encrypted $HOME directory allows for you to get to the login screen (where only user files are encrypted, not system files allowing the code before login to be run), but it reads like you opted for full disk encryption which requires the key to unlock before you can boot.

My current desktop has encrypted $HOME, so anyone can turn it on and get to the login/greeter screen (they just can't read my files within my $USER directory until logging in). However for any laptop or device that isn't bound to a desk, I use full-disk encryption.

guiverc
  • 30,396