I got a new work laptop recently - a Thnkpad Z13. One of the reasons that I picked this one over some other models is that Ubuntu was preinstalled and I want to support that option being widely available.
Work requires their devices to have some lightweight security software installed. One of the few things that it checks is whether disk encryption is enabled.
Unfortunately this error was raised to me and the IT admins for my new laptop. The preinstall was shipped without disk encryption. So I had to throw away the preinstall anyway and reinstall from scratch.
First question - is this the case for all preinstalled Ubuntu models or was it specific to this one?
Assuming the answer to that is that it’s the case for all lines, I think it’d be great to ensure that all Ubuntu preinstalled laptops sold are shipped with encrypted disks. It was a requirement for me but it’s actually good for everyone to have encryption and it should just be standard.
At first I thought this was probably going to be really difficult, because how do you ship a laptop unencrypted and let the user encrypt it with their passphrase later? But then I realised that it’s probably actually quite possible: the laptops could ship with LVM+LUKS enabled and encrypted with a static passphrase. Some part of the first boot process would supply this passphrase, and then part of the initial setup UI would prompt you to change it to your own passphrase.
What do you all think, does that sound possible or did I miss something which makes that unworkable? Would it be feasible to get it on the roadmap for the next LTS which will power the next generation of Ubuntu preinstalls in a couple of years?
Thanks for reading!
p.s.: the landscape here is changing a bit, for example see this presentation from fosdem. I think Ubuntu Core is doing similar, and maybe this kind of unlocking (getting the LUKS passphrase from the TPM) will & should replace typing a passphrase into Plymouth eventually. But it seems like it’ll be quite a few years of work to me.
At least one OEM (kfocus.org) ships Kubuntu-based systems with FDE as an option (and enabled by default). I personally use their XE Gen 1 laptop as my daily driver. The laptops come with a static passphrase and a setup wizard prompts the user to change it when you first get set up.
I think it would be a bad thing to force disk encryption on users - disk encryption adds some CPU overhead which may be detrimental in some instances (possibly when doing lowlatency audio work), and depending on the system’s setup it might even present a bottleneck that doesn’t allow the user to get all of the speed out of their disks (for instance if using two 7000 MBps NVMe disks in RAID0). It should definitely be an option, but it should always be an option, not a rule. kfocus.org allows you to select “No Encryption” when you order a laptop, if you don’t want it enabled.
But it’s also annoying to have disk encryption disabled by default and not allow the user to enable it, since some of us want or even need it. Maybe FDE can be made default with the option of disabling it, or perhaps the option to enable it can be made quite a bit more obvious rather than hiding it under an “Advanced options” button.
Some people might not need LVM+LUKS to get full disk encryption. If an SSD is advertised as having hardware encryption/TCG/Opal then all you need to do is set a “disk password” in the BIOS. Though you’re trusting the SSD/BIOS manufacturers more than Ubuntu there, so maybe do both if you want maximum security.
Cheers @arraybolt3 and @vanvugt, fair points.
I believe (haven’t tried it) that decryption is supported with something like
cryptsetup reencrypt --decrypt so it should be feasible to turn that off in a similar way with an appropriately presented option.
Regarding hardware encryption, it seems like something the particular vendor would work out with the Canonical OEM team on a case by case basis. Personally I prefer doing it in the OS because I’m worried about losing data if the laptop breaks but maybe there are mitigations available. Also there have been a few choice security incidents with hardware encryption in the past and having it software side puts the quality of the security in the hands of the OS vendor and the OSS community. I believe Bitlocker uses software encryption by default mainly for that latter reason (modulo being open source).
Finally, yes, this applies to the installer if you are installing the OS for yourself too. Just trying to make a similar case here for preinstalls.
“If you purchase a preinstalled laptop” Contact the vendor
before purchase and specify that the laptop will be a custom
preinstalled laptop, these are the customer order requirements.
Usually the vendor will comply with the customer request for
a custom order. i.e. Encrypted SSD.