No way to encrypt at partition level (dual boot)

It's a feature that was there before (encrypting /home) but is no longer supported.

As for full disk encryption, you still have the option of doing the partitioning yourself; we indeed to not currently provide an option to do resizing *and* disk encryption.

Marking as Wishlist / Triaged, since these feature requests are fairly well understood.

Thanks for the answer but I'm not sure I fully understand.

If I do the setup manually the partitioning and launch the installer once it is done, is there a way to perform the installation on this encrypted partition without having to chroot the environment and to create manually crypttab and cryptroot and to tune grub (as explained in http://blog.botux.fr/en/2015/09/ubuntu-installation-manual-full-disk-encryption-lvm-on-luks/ ) ?

Xavier

You can create the partitioning to use /boot on a separate partition, and / on an encrypted disk with LVM (the installer gives you various options for what to use a partition with). It's the same story as that blog post, but using the graphical options.

Using the blog posts' commands possibly only has the benefit that you're sure the options you want are enabled, because you did it on the command-line, explicitly.

Ok I missed that point.
You can close it if you want,except if you intend to support resizing *and* disk encryption.
Sorry for the noise.

Well actually I don't see how to achieve that with the *k*unbuntu installer.
I have created an encrypted partition
blkid /dev/sda7
/dev/sda7: UUID="c9deed35-610e-4328-b8e7-079e95d43f76" TYPE="crypto_LUKS" PARTLABEL="Linux" PARTUUID="13aac430-9701-4323-810d-53231decca9c (on which I installed kubuntu as described in the blog link).

I reboot on a kubuntu usb key.
The installer offers the "full disk" encryption option, which is not what I want.
Therefore I go for the "manual partitioning", but the installer sees the sda7 partition only as "unknown". If I format /dev/sda7 as ext4, I get an unencrypted ext4 partition and not a ext4 partition encrypted in an lvm.
Maybe I should open the luks container before I launch the installer?

Ok it is a feature request but I see it more as a security regression.
It used to be possible to encrypt /home in one click in the installer. This feature does not exist anymore and (I assume that) many users simply gave up and installed an unencrypted (k)Ubuntu.
It is possible to install an encrypted "/" but the howto is not given in the installer.
http://blog.botux.fr/en/2015/09/ubuntu-installation-manual-full-disk-encryption-lvm-on-luks/ is useful but needs to be adapted (no more swap) : it is far from obvious for a standard user.

The issue remains the unchanged with 19.10.

No progress on this issue in 20.04 beta :(
There is still no way to install an encrypted kubuntu in dual boot without having to deal with the command line. That’s a no go for many users.
I’m not even asking for full encryption. The kubuntu installer should at least be able to install an encrypted kubuntu (even with a non encrypted /boot…) alongside windows on the same disk.

oups, no progress on *20.10 beta* (of course 20.04 wasn't better).

No progress on this topic :(
It is still not possible to install kubuntu 20.10 encrypted in dual boot with windows without having to deal with the command line.
This is a security issue as it forces many beginners to go for a non encrypted installation.

I might work with the ubuntu installer 20.10 (to be confirmed) but it does not work with the kubuntu installer. By 'it does not work' I mean 'the option is not given'.
One has to create the LUKS, open it, then launch the installer and eventually use chroot to make it work.

I think the answer there is fscrypt - native encryption at the filesystem level supported by ext4 and some other day - but I'm not sure what the plans are. Partitioning is hard and the requirement to setup a separate /boot and crypt device are not always possible, though it is less of an issue these days with GPT devices.

As I pointed out on another bug report, the goal to dual boot with encryption is not helped much by new devices being sold with BitLocker enabled for the drive, forcing you to disable it in order to install Ubuntu in the first place (one reason I imagine being that the encryption key is sealed to the Windows boot process in the TPM, so there's not a way to decrypt it from another OS, or even Windows booted from a different disk).

That the installer is unable to unlock luks partitions is a bit unfortunate as it forces users to do more steps manually, and makes reinstalling Ubuntu harder on systems where you want to keep /home but replace /; or running multiple distributions in parallel - I've been hit by that as well.

In any case, I understand and share the concerns raised here and will try to raise that internally, as this might also simply have went out of our radar.

Thank you so much for the feedback!

Le mer. 23 déc. 2020 à 00:20, Julian Andres Klode <
<email address hidden>> a écrit :

> I think the answer there is fscrypt - native encryption at the
> filesystem level supported by ext4 and some other day - but I'm not sure
> what the plans are. Partitioning is hard and the requirement to setup a
> separate /boot and crypt device are not always possible, though it is
> less of an issue these days with GPT devices.
>
> As I pointed out on another bug report, the goal to dual boot with
> encryption is not helped much by new devices being sold with BitLocker
> enabled for the drive, forcing you to disable it in order to install
> Ubuntu in the first place (one reason I imagine being that the
> encryption key is sealed to the Windows boot process in the TPM, so
> there's not a way to decrypt it from another OS, or even Windows booted
> from a different disk).
>
> That the installer is unable to unlock luks partitions is a bit
> unfortunate as it forces users to do more steps manually, and makes
> reinstalling Ubuntu harder on systems where you want to keep /home but
> replace /; or running multiple distributions in parallel - I've been hit
> by that as well.
>
> In any case, I understand and share the concerns raised here and will
> try to raise that internally, as this might also simply have went out of
> our radar.
>
> ** Tags added: rls-hh-incoming
>
> ** Changed in: ubiquity (Ubuntu)
> Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1799550
>
> Title:
> No way to encrypt at partition level (dual boot)
>
> Status in ubiquity package in Ubuntu:
> Triaged
>
> Bug description:
> I'm using kubuntu alongside with windows in a dual boot, therefore I
> cannot use the full disk partition option. There is no option in the
> installer to get an encrypted kubuntu with windows (or any other OS)
> already installed on the same disk. There used to be an option to encrypt
> /home (up to 16.10 IIRC) but it does not exist anymore.
> I had to follow and adapt this tutorial
> http://blog.botux.fr/en/2015/09/ubuntu-installation-manual-full-disk-encryption-lvm-on-luks/
> to get my encrypted kubuntu.
> Is it a bug in the installer or a missing (important, as security
> related) feature?
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1799550/+subscriptions
>

What's the meaning of this tag?

Le jeu. 7 janv. 2021 à 17:41, Brian Murray <email address hidden> a
écrit :

> ** Tags removed: rls-hh-incoming
> ** Tags added: rls-hh-notfixing
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1799550
>
> Title:
> No way to encrypt at partition level (dual boot)
>
> Status in ubiquity package in Ubuntu:
> Triaged
>
> Bug description:
> I'm using kubuntu alongside with windows in a dual boot, therefore I
> cannot use the full disk partition option. There is no option in the
> installer to get an encrypted kubuntu with windows (or any other OS)
> already installed on the same disk. There used to be an option to encrypt
> /home (up to 16.10 IIRC) but it does not exist anymore.
> I had to follow and adapt this tutorial
> http://blog.botux.fr/en/2015/09/ubuntu-installation-manual-full-disk-encryption-lvm-on-luks/
> to get my encrypted kubuntu.
> Is it a bug in the installer or a missing (important, as security
> related) feature?
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1799550/+subscriptions
>

I gave the daily kubuntu 21.04 a try : there is no progress on this issue :(

Any chance to see some progress on this topic in 21.10?
It should be possible to encryt / without having to play with the command line, no matter if we are in dual boot or if we are not.
It should be possible to /create/open a encrypted LUKS container and to install (k)ubuntu on it without having the use the command line.

This is a blocker for me.

I understand, given physical access, how this doesn't fix significant security problems. Regardless, gov is gov, and I want to move forward with Ubuntu Server as a platform.

Can we push this up the queue?

I don't know if the new installer will be ready for 21.10.
If that is the case then I do hope it allows encrypted installation with dual boot.
This lack of feature is a blocker.

No progress with 22.04.
It is not possbile to install 22.04 alongside windows in an encrypted partitiono without have to use the command line to create/open the luks container.
This bug is more that 3 years old.
It is a severe security isssue as many users will end up installing kubuntu on a not encrypted partition.

22.10 is approaching.
Any to see a fix?
A fix could be based on fscrypt.
Whatever works is fine because this is an old bug preventing non experts users from installer kubuntu correctly.

Some progress in 21.10 :
systemd-homed is included.
Therefore, one can create an encrypted home directory of a new user as follows:
https://wiki.archlinux.org/title/Systemd-homed#fscrypt_directory
However, it seems that the installer is still no capable of seting up an encrypted kubutu without having to deal with the command line.

Moved to calamares and this feature will be available in Noble. Better late than never. Sorry for the delay folks.

Thanks !

Over the years we have opened these bugs reports on the same issue:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1947770
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1992439

All of them should be closed when Noble will be released.