24.04: installer, disk encryption, power management: ubuntu going backwards in big steps?

Josef Wolf jw at raven.inka.de
Wed Sep 11 18:33:44 UTC 2024 

On Wed, Sep 11, 2024 at 02:47:05PM +0200, Oliver Grawert wrote:
> Am Mittwoch, dem 11.09.2024 um 14:10 +0200 schrieb Josef Wolf:
> > 
> > 1. This will create an UNENCRYPTED /boot partition. This is not
> > exactly "full
> >    disk encryption"
> 
> If you want FDE with encrypted /boot and all, you will need to pick the
> "hardware-backed" encryption option in the installer ... but note that
> this heavily depends on your UEFI settings and that all the TPM options
> in it are correctly set in advance of the install ... there is some
> discussion around it at:

So they have dropped the ability which was working for SEVERAL DECADES in
favour of somehting that is marked as "EXPERIMENTAL"

OK, let's try it:

When I use this "hardware backed encryption", at one point, there is a note
which advises you to use "snap recovery --show-keys" to learn the recovery
key. This is in light gray on light gray background, with different nouances
of "light gray". Guess, this is such a great secret that it only is allowed to
whisper. Waldemort or something...

So I go and continue the installation. Unfortunately, the command mentioned
above "snap recovery --show-keys" results only in a "permission
denied". Running this as root does not help at all, same error message.

When install is done, system wants to reboot. On new boot, it asks for the
"recovery key". How/Why that?!? Thought, we are about tpm based encryption?
Why is it asking for a key at all? In my understanding, recovery key would be
needed only when original key is lost. How comes that original key is lost on
the very first reboot? And why is it asking for the key which I have never had
a chance to get any knowledge about?

Summing up: looks like this feature is marked as "experimental" for a very
good reason!

So I rephrase my statement from the beginning of this posting:

They have dropped the ability which was working for SEVERAL DECADES in
favour of somehting that is marked as "EXPERIMENTAL" and which is not working
at all.

Anybody out there who can describe a WORKING procedure to get
full-disk-encrypted install?

And PLEASE stop suggesting methods which you have never tried by yourself.

-- 
Josef Wolf
jw at raven.inka.de

More information about the ubuntu-users mailing list