Ubuntu
grub2-signed package

efi encrypted /boot grub installation does not include crypto support

Bug #1827928 reported by Jon Hood
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Installing with full disk encryption, including /boot, resulted in the following error after grub loaded: "error: Can't find command 'cryptomount'"

This is identical to the OpenSUSE bug identified at https://forums.opensuse.org/showthread.php/511111

Including an efi, secureboot grub image that is capable of encrypted /boot filesystem mounting is essential for securing the desktop. I see this issue as a prerequisite for bug #1773457.

OpenSUSE resolved this issue by including crypto support in their .efi grub images. I believe that this should be the default for Ubuntu as well, or an additional crypto-enabled grub efi package should be made available.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-signed (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

This may be a duplicate of bug 1565950. What version of Ubuntu were you trying to install where you encountered this?

Revision history for this message
fantasticfears (fantasticfears) wrote :

ubuntu 18.04.3 LTS has this issue. I'm not interested in secure boot but encrypted /boot. The grub package points to grub2-common (2.02-2ubuntu8.13). Even with the update detailed in the other post, the problem still exists. I can't load cryptomount and ubuntu starts with only grub shell.

Revision history for this message
Jon Hood (squinky86) wrote :

(replying to #2)
Sorry, I didn't see your reply earlier. This could be argued either way as a separate issue or not, but most importantly, the fix for bug 1565950 will also resolve this issue.

For example, if I install vmware and their unsigned kernel modules, I wouldn't be able to use secure boot but may still want an encrypted /boot partition. I had separated out the secure boot aspect from the encrypted /boot aspect.

I'm ok if you want to consolidate these issues by resolving this as a duplicate with the acknowledgement that this is a specific issue (specifically the cryptomount portion) of one aspect of bug 1565950.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.