LUKS Full Disk Encryption including /boot partitions in preseeded installation

charles.schlue

11/27/22, 4:22 PM

I'm attempting to bring a bitlocker-esque experience to users in my ubuntu environment. I have a preseeded ubuntu 20.04 installation I deploy that currently has a working disk encryption scheme on root and other file systems. /, /var, /usr, /swap and /home are all in a lvm volume group with luks enabled and unlocking automatically via clevis. I would like to also encrypt the grub/boot partitions and at this time I'm able to successfully move/copy the boot partition to the lvm and encrypt it or just convert it into a luks enabled partition outside of the lvm.

However this results in grub not prompting for a password and being unable to load at boot, I'm assuming this is due to the disk still being locked at boot. Is there some intermediate step (bootloader?) that should be loading the encrypted grub partition and unlocking it? Is EFI/Secure boot required to accomplish this or can an encrypted boot partition be used with a legacy bios?

I've been following this guide here to copy/move the boot partition into a encrypted partition. When the guide was originally written it looks like grub only supported luks1 encrypted partitions, however it appears that luks2 support has been added?

I appreciate any guidance.

UPDATE

After a bit more investigation I'm finding that I get prompted with a password during boot if I only encrypt the /boot partition and leave the partition with /boot/efi unencrypted.

My disk layout looks like this now.

lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/nvme0n1
NAME                        FSTYPE      MOUNTPOINT
nvme0n1                                 
├─nvme0n1p1                 vfat        /boot/efi
├─nvme0n1p2                 crypto_LUKS 
│ └─boot_crypt              ext4        /boot
└─nvme0n1p3                 crypto_LUKS 
  └─nvme0n1p3_crypt         LVM2_member 
    ├─encrypted--lvm-root   ext4        /
    ├─encrypted--lvm-var    ext4        /var
    ├─encrypted--lvm-swap_1 swap        [SWAP]
    ├─encrypted--lvm-tmp    ext4        /tmp
    └─encrypted--lvm-home   ext4        /home

Should I encrypt the EFI partition? Or is it necessary for it to be unencrypted to unlock the partition containing grub? Does this prevent any potential 'evil maid' attacks? Or is there some potential security flaw still open especially if secure boot is not currently enabled?

291

0 + 3

encryption

lvm

luks

tpm

sudodus

11/27/22, 4:46 PM

Maybe the following link can help you: [Manual Full System Encryption has been updated and simplified](https://ubuntuforums.org/showthread.php?t=2399092)

charles.schlue

11/27/22, 6:18 PM

@sudodus thank you, that does help fill in a few blanks. It looks like there are a few different guides linked through out that forum post and even a maze of additional guides further down the rabbit hole that I'll need to dig through. One issue with the most top level guides I'm seeing is they're written with the assumption that the disk would be setup using a live-cd. I'm currently deploying workstations with foreman using the netboot image and automating the installation with preseeding. I want to be able to install with zero user input after a tech has booted into a discovery image.

charles.schlue

11/27/22, 9:21 PM

So after a bit more investigation I'm finding that I get prompted with a password during boot if I only encrypt the /boot partition and leave the partiton with /boot/efi unencrypted.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: LUKS Full Disk Encryption including /boot partitions in preseeded installation

TH: LUKS Full Disk Encryption including /boot partitions in preseeded installation

RO: LUKS Full Disk Encryption including /boot partitions in preseeded installation

RU: LUKS Full Disk Encryption including /boot partitions in preseeded installation

VI: LUKS Full Disk Encryption including /boot partitions in preseeded installation

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.