0

Trying to do "Full Disk Encryption" using LUKS/dm-crypt on Ubuntu 18.04 LTS with "/boot" partition encrypted as well.

I've found this tutorial that is explaining quite well how to do it with Ubuntu 19.04. After following all step multiple times, I can't make it working on my disk.

Each time I reboot, at the end, the next boot ends up on grub command line without showing me an error or something. I tried to load module mannualy in order to boot but GRUB can't seem to find them.

I tried the same process on Ubuntu 20.04 LTS and no problem noticed. Everything worked perfectly according to the tutorial. (Need to stick to LTS version)

I noticed that GRUB version and Cryptsetup version are different between these 2 version and that I have to be carefull about LUKS partition type for "/boot". After creating LUKS partition for "/boot" and dump header, everything seems OK.

On Ubuntu 18.04 :

GRUB Version : 2.0.2
Cryptsetup Version : 2.0.2

On Ubuntu 20.04 :

Grub version : 2.0.4
Cryptsetup version 2.2.2

I've done a lot of research online about my problem but I didn't find one that looks like what I'm trying to do, on Ubuntu 18.04 LTS at least. Almost everything information I found were about Ubuntu 19.04 or superior.

Do you know if it's possible to encrypt /boot partition with Ubuntu 18.04 LTS ? I can't upgrade to 20.04 LTS.

Cerclique
  • 1
  • I think I recall getting it working with 18.04 flash drives here: https://askubuntu.com/questions/1086309/how-to-make-bios-uefi-flash-drive-with-full-disk-encryption. The link contains references for full encryption internal drives also. – C.S.Cameron Jun 15 '21 at 10:12
  • I see Paddy has also recently updated the official documentation: https://help.ubuntu.com/community/ManualFullSystemEncryption – C.S.Cameron Jun 15 '21 at 10:25
  • 2
    Are you using a qwerty keyboard? and you're using a latin/english character set? Don't forget with an encrypted /boot partition, your chosen language files cannot be read until AFTER you've decrypted the volume, ie. you need to use a password that your machine BIOS/firmware language & keyboard understand (which is usually english/american) for the password... otherwise you'll end up at grub rescue..... (full disk encryption has it's drawbacks) – guiverc Jun 15 '21 at 10:40
  • 1
    Why do you even want to do this? Let /boot remain unencrypted. From security point of view it makes no difference. Or do you have grub installed on a floppy disk? – paladin Jun 15 '21 at 11:43
  • @paladin It only makes no difference as long as you have Secure Boot enabled and the initramfs and kernel get signed. Is the latter the case with Ubuntu now? At least it didn't use to be that way and I have trouble figuring out what the current status is (for Ubuntu 21.04). – balu Jun 22 '21 at 17:03
  • Addendum to my previous comment: Looks like the kernel does get signed but the initramfs does not. So encrypting /boot seems strictly better than not encrypting it. – balu Jun 22 '21 at 18:08

0 Answers0