Hello.
I have a longterm tradition to install linux desktops on encrypted root filesystems (/boot folder included). I have recently installed CachyOS in this manner, and it managed to create a working installation with proper encrypted rootfs using LUKS2/Argon2id (since GRUB v2.14 now supports LUKS2 and Argon2 PBKDF). I’ve been trying to install Kubuntu 26.04 LTS in a similar manner, and since it also uses the Calamares installer, I was under the impression that this was a supported feature. Apparently, it’s not.
These steps work on CachyOS, but result in a broken installation on Kubuntu 26.04:
- Boot into the installation image and run Calamares installer
- Proceed until asked for disk partition setup
- Choose manual partitioning
- Choose an empty drive, create a new GPT disk label
- Create new partition (size 512 MB), format it as fat32, label it “ESP”, enable the boot flag, set the mountpoint to “/boot/efi”
- Create new partition (rest of disk), format it as ext4, label it as “rootfs”, tick the “Encrypt” checkbox, provide a password, set mountpoint as “/”
- Proceed with installation
- (Kubuntu) If installation fails due to failed closing cryptmount, ignore it. System installed fine. For some reason the installer thinks it cannot close an already closed cryptomount.
- Reboot
Because the installed grub EFI binary does not include support for luks2 or argon2id, the system will fail to decrypt the LUKS2 volume and drop to a rescue shell instead. Looks like the developers forgot to include support for LUKS2/Argon2 in the signed grub EFI binary despite the fact that grub v2.14 now fully supports them. There is also evidence that they are even looking in the opposite direction (@Lantizia, did you solve your issue?), so it seems like (at least at the moment of this writing) we are somewhat out of luck.
The only other way is to use the unsigned binary and drop secure boot altogether (or perform custom SB configuration). The Kubuntu installer defaults to grub-efi-amd64-signed package, and I have not been able to find a way to have it switch to grub-efi-amd64-unsigned. I managed to partially fix my installation by chrooting into it from another system and manually fixing some things.
Make sure /usr/sbin is in PATH before executing any commands in the chroot environment. First I did a “rm -rf *” in the /boot/efi/EFI folder. Then, I installed grub-efi-amd64-unsigned package (you may need to fix the network before apt starts working - add a “nameserver 8.8.8.8” line at the top of /etc/resolv.conf file and save it). Running “grub-install --no-uefi-secure-boot” then seemingly installs the correct grubx64.efi binary with proper support for luks2/argon2id. I verified this by booting from it, and the password prompt now showed up and decrypted properly, but there are more problems. It seems I also had to fix the crypttab because it was missing the keyfile.
luks-<your-uuid-here> UUID=<your-uuid-here> none luks,keyscript=/bin/cat
Replace the “none” keyword with “/crypto_keyfile.bin” in your /etc/crypttab, save, then “update-initramfs -u”. This will result in a bootable Kubuntu installation with encrypted /boot folder. I have however not been able to find a way to switch the system from using the signed grub image to the unsigned one. The system still defaults to the signed image. This means that the unsigned image will inevitably get overwritten by a package update the next time grub-install is executed. Trying to uninstall grub-efi-amd64-signed package fails because another package (shim-signed) apparently depends on it. Trying to uninstall shim-signed also fails because it is apparently an essential package that cannot be removed. There is also no easy way to install the system without a bootloader, so that it may be installed manually later on.
Basically, I’m stuck at this point and unsure how to proceed from here on.
Does anyone know how to make the system use unsigned grub binary by default?
