I was happy to see FDE support with TPM2 in Ubuntu 23.10 Desktop, but need the same for Ubuntu Server.
There doesn’t seem to be easily searchable description of how that works and how to replicate it manually. I’m fine installing default installation and then switching to FDE, just need to know how to do it in a way that is aligned with Ubuntu’s direction.
The goal is to have minimal ESP partition and encrypted BTRFS root partition with everything else. No SWAP, no separate /boot, etc.
I tried to install Ubuntu Desktop 23.10.1 (and updated installer to the latest in the process), but installation failed in KVM on Ubuntu 22.04 Desktop (used libvirt), so I don’t know how to look into what it does at least after the fact.
Theoretically systemd-cryptenroll should make things fairly straightforward, but there doesn’t seem to be guides using it for Ubuntu will full encryption and unified kernel image to get rid of /boot.
So the desktop FDE approach is based on Ubuntu Core, using snapd and kernel and gadget snaps to ship kernels and boot loaders and configure them, and it has very specific requirements for the partition layout, so converting is um well I guess in theory possible, but seems hard to do in practice.
Kernels and initrds are shipped as combined UKIs, which are verified using secure boot, they are not part of the encrypted partition and regardless, nothing in the encrypted partition is authenticated anyhow (encryption only ensures nobody can read your data, not that they can’t modify the data you read).
systemd-cryptenroll is an entirely separate mechanism which is entirely unsupportable as we do not use systemd in the initrd, and regardless, you’d have no way to verify the initrd.
It may be possible to install server in desktop FDE mode as both use the same installer under the hood, however I have not tried and I would not encourage it. I do not believe that you’ll have any choice over the partition layout or the file system however.
Well, there is https://blastrock.github.io/fde-tpm-sb.html and my understanding is that by generating my own keys and adding them to Secure Boot (in addition or in place of default ones), it is possible to generate and sign UKI each time kernel is updated, and then verify that this specific kernel with its specific configuration has started during boot before decrypting root partition. With LUKSv2 authenticated encryption is used, so it shouldn’t be possible to modify the encrypted data without it being noticed.
All of this stuff is not new and it is unfortunate that Ubuntu doesn’t make it trivial to use yet. My expectation was that FDE in Ubuntu 23.10 helps with that, but if it only does it for a very narrow use case it probably isn’t a good fit here indeed. It would have been nice if it was though.
extracted /usr/lib/systemd/boot/efi/linuxx64.efi.stub from my desktop system, not sure why it wasn’t present on the freshly installed server, but ukify didn’t like it
installed https://github.com/Foxboron/sbctl to manage secure boot keys instead of scary scripts article suggested (would be nice to have it packaged in Ubuntu)
somewhat followed instructions modulo above differences due to being on Ubuntu
once I had everything working except LUKS, I added another disk to the system
added new disk to root btrfs file system, removed old disk, formatted old disk with LUKS, added key, opened, added corresponding /dev/mapper/x to file system, removed new disk as no longer necessary and after updating initramfs I’ve got both UKI booting and grub still works too as a fallback, but requires password to be typed explicitly for unlocking
So yeah, not that many moving parts actually, yet no automation exists in Ubuntu to do that yet, even installing on btrfs on top of LUKS is not supported right now in the installer.