[Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems

Fri Aug 3 20:38:43 UTC 2018

If you want to preserve other OS and setup encrypted partitions by hand,
you can do so, since forever using the mini.iso  d-i installer, and
install ubuntu-desktop task.

yes unencrypted /boot is currently a limitation with grub, but you can
use sicherboot package to boot UEFI based systems securely without
/boot, as that ensure the bootloader, kernel, initramfs are all in the
UEFI partition, signed and booted with secureboot.

none of that is typical for a desktop installer, nor is easy to explain
in the UI. And things like above is adequatly easy to setup using the
mini.iso and additional packages. For a mass-install corporate
environment, I would expect internal sysadmins to either prepare d-i
preseeds or custom golden images to deploy machines with such a
sophisticated setup.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub in Ubuntu.
https://bugs.launchpad.net/bugs/1773457

Title:
  Full-system encryption needs to be supported out-of-the-box including
  /boot and should not delete other installed systems

Status in grub package in Ubuntu:
  New
Status in ubiquity package in Ubuntu:
  Incomplete

Bug description:
  In today's world, especially with the likes of the EU's GDPR and the
  many security fails, Ubuntu installer needs to support full-system
  encryption out of the box.

  This means encrypting not only /home but also both root and /boot. The
  only parts of the system that wouldn't be encrypted are the EFI
  partition and the initial Grub bootloader, for obvious reasons.

  It should also not delete other installed systems unless explicitly
  requested.

  On top of this, the previous method of encrypting data (ecryptfs) is
  now considered buggy, and full-disk encryption is recommended as an
  alternative. Unfortunately, the current implementation of full-disk
  encryption wipes any existing OS such as Windows, making the
  implementation unusable for most users.

  Now, using LUKS and LVM, it is already possible to have full-disk
  encryption (strictly, full-partition encryption because it leaves any
  existing OS alone), while encrypting /boot. Reference:

  https://help.ubuntu.com/community/ManualFullSystemEncryption

  ... but with one major limitation: Grub is incorrectly changed after
  an update affecting the kernel or Grub, so that a manual Grub update
  is required each time this happens (this is fully covered in the
  linked instructions).

  If the incorrect Grub change is fixed, it should be (relatively)
  simple to support full-system encryption in the installer.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub/+bug/1773457/+subscriptions