Join Log in
Score:0
Cerclique avatar Ubuntu

Full Disk Encryption (/boot included) - Ubuntu 18.04 LTS

ng flag
Cerclique

Trying to do "Full Disk Encryption" using LUKS/dm-crypt on Ubuntu 18.04 LTS with "/boot" partition encrypted as well.

I've found this tutorial that is explaining quite well how to do it with Ubuntu 19.04. After following all step multiple times, I can't make it working on my disk.

Each time I reboot, at the end, the next boot ends up on grub command line without showing me an error or something. I tried to load module mannualy in order to boot but GRUB can't seem to find them.

I tried the same process on Ubuntu 20.04 LTS and no problem noticed. Everything worked perfectly according to the tutorial. (Need to stick to LTS version)

I noticed that GRUB version and Cryptsetup version are different between these 2 version and that I have to be carefull about LUKS partition type for "/boot". After creating LUKS partition for "/boot" and dump header, everything seems OK.

On Ubuntu 18.04 :

GRUB Version : 2.0.2
Cryptsetup Version : 2.0.2

On Ubuntu 20.04 :

Grub version : 2.0.4
Cryptsetup version 2.2.2

I've done a lot of research online about my problem but I didn't find one that looks like what I'm trying to do, on Ubuntu 18.04 LTS at least. Almost everything information I found were about Ubuntu 19.04 or superior.

Do you know if it's possible to encrypt /boot partition with Ubuntu 18.04 LTS ? I can't upgrade to 20.04 LTS.

418
0 + 6
C.S.Cameron avatar
cn flag
C.S.Cameron
I think I recall getting it working with 18.04 flash drives here: https://askubuntu.com/questions/1086309/how-to-make-bios-uefi-flash-drive-with-full-disk-encryption. The link contains references for full encryption internal drives also.
0
Reply
C.S.Cameron avatar
cn flag
C.S.Cameron
I see Paddy has also recently updated the official documentation: https://help.ubuntu.com/community/ManualFullSystemEncryption
0
Reply
guiverc avatar
cn flag
guiverc
Are you using a qwerty keyboard? and you're using a latin/english character set? Don't forget with an encrypted /boot partition, your chosen language files cannot be read until AFTER you've decrypted the volume, ie. you need to use a password that your machine BIOS/firmware language & keyboard understand (which is usually english/american) for the password... otherwise you'll end up at grub rescue..... (*full disk encryption has it's drawbacks*)
2
Reply
paladin avatar
kr flag
paladin
Why do you even want to do this? Let `/boot` remain unencrypted. From security point of view it makes no difference. Or do you have grub installed on a floppy disk?
1
Reply
in flag
balu
@paladin It only makes no difference as long as you have Secure Boot enabled and the initramfs and kernel get signed. Is the latter the case with Ubuntu now? At least it didn't use to be that way and I have trouble figuring out what the current status is (for Ubuntu 21.04).
0
Reply
in flag
balu
Addendum to my previous comment: [Looks like](https://wiki.ubuntu.com/UEFI/SecureBoot) the kernel *does* get signed but the initramfs does *not*. So encrypting `/boot` seems strictly better than not encrypting it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.