Hi,
I’m trying to get back Full Disk Encryption (without separate /boot partition) for btrfs subvolume installation.
For that purpose I’m using autoinstall.yaml with custom partitioning.
The first challenge is to find right moment to add echo "GRUB_ENABLE_CRYPTODISK=y" >> /target/etc/default/grub
seems that late-commands: is too late - curtain throws an error attempt to install to encrypted disk without cryptodisk enabled..
Is there any hooks that can be used for that?
2nd problem is finding hook right after formatting completed. I need to configure correct subvolumes for btrfs root
I’m fairly certain you’re trying to do something that’s not supported. subiquity and ubuntu-desktop-bootstrap (the graphical frontend) require a separate /boot as it needs to load the kernel into RAM to have the plymouth boot screen to do the prompt for the password. It nearly 100% certain it doesn’t have that mechanism to implement decryption via GRUB and implements it via Plymouth, which requires the kernel to be loaded.
I do allow myself to be wrong, but I’m the person that implemented ubuntu-desktop-bootstrap on two different flavors of Ubuntu (Edubuntu and Ubuntu Studio), and was instrumental in the implementation in Ubuntu MATE and Ubuntu Cinnamon.
calamares is the only installer I know of that does full-disk encryption with an encrypted /boot, but I don’t know if it can be automated in the same way.
Well, in my understanding it’s grub’s job to decrypt kernel, next kernel itself have to be aware of decryption.
There some rocks on the road too, grub is not compatible with LUKSv2 Argon2id.
Any way to somehow deal with it I need to hook before grub install, and to tune btrfs it is better to jump right after FS formating.
Is it possible to hook something “after formatting” in install process?
Upd:
I think FDE something I can skip, but I there still btrfs tuning problem.
Only if it’s set-up to do so, and only if /boot, where the kernel lies is encrypted. subiquity does not handle this kind of setup and, instead, places the job of decryption of the / volume on the kernel with Plymouth doing the prompting.
As I understand it, to both questions, no.
The installer doesn’t even fully support btrfs, so that’s something that would have to be handled post-install. The Ubuntu Foundations team has historically gone the route of zfs instead.
Yes, my understanding is that grub module have to decrypt root first. It requires some postinstall actions.
the problems is that, I can’t do post install action, because installer fails before late-commands with attempt to install to encrypted disk without cryptodisk enabled error message and proposition to add "GRUB_ENABLE_CRYPTODISK=y" to /etc/default/grub.
That is kind of deadlock, so I need to take control over installation before grub-update is invoked.
