Firstly, congrats on the great work; Kubuntu gets better each release. My rant, though, is about the full disk encryption install and why it does not behave as described here where the bootloader also gets encrypted so the passphrase for the key is required for the bootloader to load. Lubuntu's FDE install behaves as described, but Kubuntu does not. I'm sure there's a reason for this that I'm ignorant of. Thanks for any insights and again for the good work.
-
-
In the link cited, did you note the following?
LUKS Encrypt
The default LUKS (Linux Unified Key Setup) format (version) used by the cryptsetup tool has changed since the release of 18.04 Bionic. 18.04 used version 1 ("luks1") but more recent Ubuntu releases default to version 2 ("luks2"). GRUB only supports opening version 1 so we have to explicitly set luks1 in the commands we use or else GRUB will not be able to install to, or unlock, the encrypted device.
Note: as of October 2021 and Ubuntu 21.10 GRUB still does not yet support installing to luks2 containers. It can read luks2 (although with several strict limitations, and subject to some bugs decoding UUIDs) but grub-install via grub-probe cannot recognise a luks2 device and therefore cannot correctly install into luks2 containers.
In summary, the LUKS container for /boot/ must currently use LUKS version 1 whereas the container for the operating system's root file-system can use the default LUKS version 2.Using Kubuntu Linux since March 23, 2007
"It is a capital mistake to theorize before one has data." - Sherlock Holmes
-
Yes, I manually installed Kubuntu 21.10 (and reinstall of 20.04) using those FDE instructions and encrypted my /boot using luks1. My Kubuntu installs now have the bootloader encrypted. The encrypted install for Kubuntu should do this by default, like Lubuntu does.Originally posted by Snowhog View PostComment
Comment