Well it's an issue indeed but the fact that no encryption is possible
without having to deal with the command line is much worst.
Le lun. 21 déc. 2020 à 22:15, Nodøn <email address hidden> a écrit :
> Encryption should also be possible without LVM. LVM is very good, but if
> you are using for example BTRFS, you may don't want to use both at the
> same time. Should just be an option.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1773457
>
> Title:
> Full-system encryption needs to be supported out-of-the-box including
> /boot and should not delete other installed systems
>
> Status in grub2 package in Ubuntu:
> Confirmed
> Status in ubiquity package in Ubuntu:
> Confirmed
>
> Bug description:
> In today's world, especially with the likes of the EU's GDPR and the
> many security fails, Ubuntu installer needs to support full-system
> encryption out of the box.
>
> This means encrypting not only /home but also both root and /boot. The
> only parts of the system that wouldn't be encrypted are the EFI
> partition and the initial Grub bootloader, for obvious reasons.
>
> It should also not delete other installed systems unless explicitly
> requested.
>
> On top of this, the previous method of encrypting data (ecryptfs) is
> now considered buggy, and full-disk encryption is recommended as an
> alternative. Unfortunately, the current implementation of full-disk
> encryption wipes any existing OS such as Windows, making the
> implementation unusable for most users.
>
> Now, using LUKS and LVM, it is already possible to have full-disk
> encryption (strictly, full-partition encryption because it leaves any
> existing OS alone), while encrypting /boot. Reference:
>
> https://help.ubuntu.com/community/ManualFullSystemEncryption
>
> ... but with one major limitation: Grub is incorrectly changed after
> an update affecting the kernel or Grub, so that a manual Grub update
> is required each time this happens (this is fully covered in the
> linked instructions).
>
> If the incorrect Grub change is fixed, it should be (relatively)
> simple to support full-system encryption in the installer.
>
> Further information (2018-08-17):
>
> The NCSC recommends, "Use LUKS/dm-crypt to provide full volume
> encryption."
> References:
> •
> https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guide
> • https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
>
> **EDIT**
> Refer to comment #47 for an alternative version.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions
>
Well it's an issue indeed but the fact that no encryption is possible
without having to deal with the command line is much worst.
Le lun. 21 déc. 2020 à 22:15, Nodøn <email address hidden> a écrit :
> Encryption should also be possible without LVM. LVM is very good, but if /bugs.launchpad .net/bugs/ 1773457 /help.ubuntu. com/community/ ManualFullSyste mEncryption /blog.ubuntu. com/2018/ 07/30/national- cyber-security- centre- publish- ubuntu- 18-04-lts- security- guide /www.ncsc. gov.uk/ guidance/ eud-security- guidance- ubuntu- 1804-lts /bugs.launchpad .net/ubuntu/ +source/ grub2/+ bug/1773457/ +subscriptions
> you are using for example BTRFS, you may don't want to use both at the
> same time. Should just be an option.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Full-system encryption needs to be supported out-of-the-box including
> /boot and should not delete other installed systems
>
> Status in grub2 package in Ubuntu:
> Confirmed
> Status in ubiquity package in Ubuntu:
> Confirmed
>
> Bug description:
> In today's world, especially with the likes of the EU's GDPR and the
> many security fails, Ubuntu installer needs to support full-system
> encryption out of the box.
>
> This means encrypting not only /home but also both root and /boot. The
> only parts of the system that wouldn't be encrypted are the EFI
> partition and the initial Grub bootloader, for obvious reasons.
>
> It should also not delete other installed systems unless explicitly
> requested.
>
> On top of this, the previous method of encrypting data (ecryptfs) is
> now considered buggy, and full-disk encryption is recommended as an
> alternative. Unfortunately, the current implementation of full-disk
> encryption wipes any existing OS such as Windows, making the
> implementation unusable for most users.
>
> Now, using LUKS and LVM, it is already possible to have full-disk
> encryption (strictly, full-partition encryption because it leaves any
> existing OS alone), while encrypting /boot. Reference:
>
> https:/
>
> ... but with one major limitation: Grub is incorrectly changed after
> an update affecting the kernel or Grub, so that a manual Grub update
> is required each time this happens (this is fully covered in the
> linked instructions).
>
> If the incorrect Grub change is fixed, it should be (relatively)
> simple to support full-system encryption in the installer.
>
> Further information (2018-08-17):
>
> The NCSC recommends, "Use LUKS/dm-crypt to provide full volume
> encryption."
> References:
> •
> https:/
> • https:/
>
> **EDIT**
> Refer to comment #47 for an alternative version.
>
> To manage notifications about this bug go to:
> https:/
>