[Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems

Paddy Landau 1773457 at bugs.launchpad.net
Sat Aug 4 16:50:14 UTC 2018 

@Dimitri Thanks for your comments. I understand where you are coming
from.

I do think, however, that as Ubuntu is intended (and was intended right
from day 1) to be "for human beings", it would make hugely more sense to
support full-system encryption from the installer. People don't want to
be messing around with "install this, then install that, then fix this
other thing" especially as it's neither documented nor supported by
Canonical.

That's just life.

While technical people love messing around — it's their job, after all!
— your average "human being" hates it. (I also dislike it; I put
together the method simply because I needed it. I documented the process
publicly because I know that there are many, many people like me who
need it.)

Also, I have never had good results from installing a desktop
environment over an existing system, even something as simple as Lubuntu
desktop over an Ubuntu installation.

That, too, is just life.

This request is something that Ubuntu should support. It's not a "nice
to have" feature. In today's world, it's a a "got to have" feature,
whether for business, government, professionals, salespeople, scientific
research, and even personal use. (If I could program, I'd amend the
installer myself to implement this — it is open source, after all).

This is made even more urgent by the fact that Ubuntu 18.04 no longer
supports encryption at all. Even the recommended workaround, fscrypt, is
broken.

I cannot understand the antagonism to this request — it's a proven
method; it's not particularly difficult; it's easy enough to modify the
existing installer to do this; it's significantly better than the
existing options; it uses only proven technology; and it would prove
hugely popular, helping to tip the balance to switch to Ubuntu in
organisations that are currently uncertain.

I know that I were an internal sysadmin, or a consultant to a
professional (I used to be both, decades ago), up to version 16.04 I
would have recommended Ubuntu every time without hesitation. But, from
18.04, I absolutely would not, because it's too problematic to install
with encryption and then keep it reliably up to date.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1773457

Title:
  Full-system encryption needs to be supported out-of-the-box including
  /boot and should not delete other installed systems

Status in grub2 package in Ubuntu:
  New
Status in ubiquity package in Ubuntu:
  Incomplete

Bug description:
  In today's world, especially with the likes of the EU's GDPR and the
  many security fails, Ubuntu installer needs to support full-system
  encryption out of the box.

  This means encrypting not only /home but also both root and /boot. The
  only parts of the system that wouldn't be encrypted are the EFI
  partition and the initial Grub bootloader, for obvious reasons.

  It should also not delete other installed systems unless explicitly
  requested.

  On top of this, the previous method of encrypting data (ecryptfs) is
  now considered buggy, and full-disk encryption is recommended as an
  alternative. Unfortunately, the current implementation of full-disk
  encryption wipes any existing OS such as Windows, making the
  implementation unusable for most users.

  Now, using LUKS and LVM, it is already possible to have full-disk
  encryption (strictly, full-partition encryption because it leaves any
  existing OS alone), while encrypting /boot. Reference:

  https://help.ubuntu.com/community/ManualFullSystemEncryption

  ... but with one major limitation: Grub is incorrectly changed after
  an update affecting the kernel or Grub, so that a manual Grub update
  is required each time this happens (this is fully covered in the
  linked instructions).

  If the incorrect Grub change is fixed, it should be (relatively)
  simple to support full-system encryption in the installer.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions

More information about the foundations-bugs mailing list