GRUB and encrypted /boot

[Volker Wysk]

Hi, Oliver

Am Donnerstag, dem 05.02.2026 um 15:33 +0100 schrieb Oliver Grawert:
> Hi,
> Am Donnerstag, dem 05.02.2026 um 10:56 +0100 schrieb Volker Wysk:
> > Hi.
> > 
> > Is it true, that GRUB can nowadays handle fully encrypted mass
> > storage,
> > which includes the /boot partition? And that this can be set up with
> > the
> > Ubuntu Server Installer?
> > 
> 
> No, you can have full disk encryption with Ubuntu Core (which comes
> without any installer and usually gets directly flashed to disk) or

I don't have a device on which I could install Ubuntu Core. I have a normal
desktop. Getting installed one can be achieved with installing Ubuntu
Server, and then installing the package ubuntu-desktop.

> with the recent desktop installer (which has it around since 25.04 but
> still marked experimental until 26.04 releases), server is not there
> yet and will likely only see this feature in 28.04 ...

I tried it with Ubuntu Desktop 24.04 before, and it wasn't possible to have
an encrypted *Btrfs* system. The reason I want /boot in the same file system
as /, is exclusively that this is needed for Btrfs. You need it for system-
snapshots. Now I'm trying 25.10 Desktop and the installer still doesn't
allow for an encrpyted Btrfs, but offers an encrypted ZFS file system
instead (still marked as experimental)... I'm going to try it.

> 
> Original announcement when the work started:
> https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
> 
> Status report for 25.10:
> https://discourse.ubuntu.com/t/tpm-fde-progress-for-ubuntu-25-10/65146
> 
> Current state that you can actually get involved in and help with
> sending info about your system:
> https://discourse.ubuntu.com/t/tpm-backed-fde-take-2-minutes-to-help-widen-ubuntu-compatibility-with-your-tpm-configuration/70352

I don't have a TPM-Chip. It's just a normal desktop.

> ciao
> 	oli

Bye, Oliver