Ubuntu
ubiquity package

Bug #1773457
Comment #53

Comment 53 for bug 1773457

Revision history for this message

Xavier Gnata (xavier-gnata-gmail) wrote on 2020-12-21: Re: [Bug 1773457] Re: Full-system encryption needs to be supported out-of-the-box including /boot and should not delete other installed systems

#53

Well it's an issue indeed but the fact that no encryption is possible
without having to deal with the command line is much worst.

Le lun. 21 déc. 2020 à 22:15, Nodøn <email address hidden> a écrit :

> Encryption should also be possible without LVM. LVM is very good, but if
> you are using for example BTRFS, you may don't want to use both at the
> same time. Should just be an option.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1773457
>
> Title:
> Full-system encryption needs to be supported out-of-the-box including
> /boot and should not delete other installed systems
>
> Status in grub2 package in Ubuntu:
> Confirmed
> Status in ubiquity package in Ubuntu:
> Confirmed
>
> Bug description:
> In today's world, especially with the likes of the EU's GDPR and the
> many security fails, Ubuntu installer needs to support full-system
> encryption out of the box.
>
> This means encrypting not only /home but also both root and /boot. The
> only parts of the system that wouldn't be encrypted are the EFI
> partition and the initial Grub bootloader, for obvious reasons.
>
> It should also not delete other installed systems unless explicitly
> requested.
>
> On top of this, the previous method of encrypting data (ecryptfs) is
> now considered buggy, and full-disk encryption is recommended as an
> alternative. Unfortunately, the current implementation of full-disk
> encryption wipes any existing OS such as Windows, making the
> implementation unusable for most users.
>
> Now, using LUKS and LVM, it is already possible to have full-disk
> encryption (strictly, full-partition encryption because it leaves any
> existing OS alone), while encrypting /boot. Reference:
>
> https://help.ubuntu.com/community/ManualFullSystemEncryption
>
> ... but with one major limitation: Grub is incorrectly changed after
> an update affecting the kernel or Grub, so that a manual Grub update
> is required each time this happens (this is fully covered in the
> linked instructions).
>
> If the incorrect Grub change is fixed, it should be (relatively)
> simple to support full-system encryption in the installer.
>
> Further information (2018-08-17):
>
> The NCSC recommends, "Use LUKS/dm-crypt to provide full volume
> encryption."
> References:
> •
> https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guide
> • https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
>
> **EDIT**
> Refer to comment #47 for an alternative version.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions
>

Well it's an issue indeed but the fact that no encryption is possible
without having to deal with the command line is much worst.

Le lun. 21 déc. 2020 à 22:15, Nodøn <1773457@bugs.launchpad.net> a écrit :

> Encryption should also be possible without LVM. LVM is very good, but if
> you are using for example BTRFS, you may don't want to use both at the
> same time. Should just be an option.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1773457
>
> Title:
>   Full-system encryption needs to be supported out-of-the-box including
>   /boot and should not delete other installed systems
>
> Status in grub2 package in Ubuntu:
>   Confirmed
> Status in ubiquity package in Ubuntu:
>   Confirmed
>
> Bug description:
>   In today's world, especially with the likes of the EU's GDPR and the
>   many security fails, Ubuntu installer needs to support full-system
>   encryption out of the box.
>
>   This means encrypting not only /home but also both root and /boot. The
>   only parts of the system that wouldn't be encrypted are the EFI
>   partition and the initial Grub bootloader, for obvious reasons.
>
>   It should also not delete other installed systems unless explicitly
>   requested.
>
>   On top of this, the previous method of encrypting data (ecryptfs) is
>   now considered buggy, and full-disk encryption is recommended as an
>   alternative. Unfortunately, the current implementation of full-disk
>   encryption wipes any existing OS such as Windows, making the
>   implementation unusable for most users.
>
>   Now, using LUKS and LVM, it is already possible to have full-disk
>   encryption (strictly, full-partition encryption because it leaves any
>   existing OS alone), while encrypting /boot. Reference:
>
>   https://help.ubuntu.com/community/ManualFullSystemEncryption
>
>   ... but with one major limitation: Grub is incorrectly changed after
>   an update affecting the kernel or Grub, so that a manual Grub update
>   is required each time this happens (this is fully covered in the
>   linked instructions).
>
>   If the incorrect Grub change is fixed, it should be (relatively)
>   simple to support full-system encryption in the installer.
>
>   Further information (2018-08-17):
>
>   The NCSC recommends, "Use LUKS/dm-crypt to provide full volume
> encryption."
>   References:
>   •
> https://blog.ubuntu.com/2018/07/30/national-cyber-security-centre-publish-ubuntu-18-04-lts-security-guide
>   • https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
>
>   **EDIT**
>   Refer to comment #47 for an alternative version.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1773457/+subscriptions
>

Ubuntuubiquity package

Comment 53 for bug 1773457

Ubuntu
ubiquity package