Full Disk Encryption, without LVM, by default - Call for comments

Historically Desktop / Server, only configured LUKS full disk encryption with an LVM layer. Thus ones root ext4 filesystem was an LVM volume, on an VG group, on LUKS, on a GPT partition.

The upcoming Ubuntu Core 20 has full disk encryption with TPM support. In that configuration ext4 filesystem is created directly on the LUKS volume which is directly on a GPT partitition.

For the upcoming HH 21.04 release, I want to change Desktop/Server, to also install in a similar fashion. Specifically such that by default, we simply use ext4+LUKS without LVM.

It seems to me that despite having LVM layer, it’s not actually used or appreciated much.

Would you be ok with having full-disk encryption without LVM by default?

8 Likes

Users always complain about the lack of the option that they DON’T have; they don’t usually give praise for the thing they’re using which just works.

As a user, I would conisder full disk encryption without some kind of volume management (either LVM or ZFS) to be unusable and would never use that install option.

1 Like

there have been many complaints about inability to do dual-boot & full disk encryption.

Thus, I am pondering to start allowing that, when the drive is GPT, as we no longer have constraints on creating many additional partitions to make FDE work with GPT and dual boot.

For the great majority of desktop use cases using 1 big partition on a single disk I just don’t see the point of LVM. On a desktop system LVM has never helped me, but does add complexity.

As long as their is still an option for LVM, I don’t really see an issue. If you have multiple disks - LVM, ZFS, btrfs, etc are going to be more useful for you - but you will have to customize them more yourself anyway.

1 Like

What happens when we have full disk encryption ? People won’t be able to steal our data if they gets their hands on our HDD ? If OS got corrupted, will it shut the owner out as well ?

Ok, we have OS Disk Enc. , we cannot care if somebody mount external usb drive, external hdd, or partition that not belongs the main OS. If somebody has dual boot (windows and Ubuntu for example), he can use bitlocker for Windows and LUKS for ubuntu. This is FDE again?

Dual boot with disk encryption would be very welcome, especially now that ecryptfs was removed. I know an office of around 15 people where they are now mostly on OPAL-only level of security. They have never really needed Windows but since only expensive XPS 13 is available here with Ubuntu pre-installed, they have needed to buy laptops that include a Windows license, so they have kept it resized to minimum just in case there would be an use.

Personally I’ve disliked LVM as unneeded layer to an extent that I’ve done my own installations without encryption, to not get LVM, and used luksipc (https://www.johannes-bauer.com/linux/luksipc/) to convert them to LUKS. Likewise I’ve used luksipc for my two XPS 13s that shipped with Ubuntu but without encryption.

As usual though, some might think completely opposite.

2 Likes

Would it have helped if our Preinstall Ubuntu shipped with a LUKS layer, and effectively no password, such that, one can invoke “re-encrypt + change passphrase” to activate full disk encryption?

Yes, sounds optimal to me. I’d be happy to use official, supported pre-install Ubuntu as such, for a completely tinker free experience. That is also why I didn’t install a clean non-OEM install on my XPS 13s but used the pre-install just converted into encrypted one.

1 Like

Lubuntu is doing FDE without LVM and I don’t remember anyone complaining about the lack of LVM. Personally I am not against the idea. But I would prefer to have the choice of using FDE with or without LVM.

Could you please elaborate on more detail, what you mean with FDE? I guess, you don’t plan to encrypt /boot as well? Or do you plan to give the user the choice of encrypting /boot?
Lubuntu is encrypting the /boot, but it has some downsides:

  • keyboard layout is en_US only
  • unlocking is very slow
  • LUKS1 is needed
  • either put the key into initramfs or enter the passphrase twice

And what about TPM? I made the experience, that on Windows 10, Bitlocker and TPM, the device was unlocked automatically at boot. I had to modify a group policy to enforce the passphrase at boot.
What is the desired behaviour in this case?

1 Like

I keep my machine unencrypted because I have a disk for / and another disk for /home. Would be nice to have a way to use encryption on this scenario and I think use EXT4 native encryption could be a step on the right way.

mhalano, you can successfully do this now (although not automatically) by adding your extra encrypted volumes to etc/crypttab.

I do agree that more flexibility for multi-volume systems would be welcome, and encryption post-install (without lots of manual work) would benefit Ubuntu desktops greatly as well, as other OS’es have this functionality. I don’t mind how LVM fits into this bigger picture, though, so long as it’s all “done right” (and if that takes time, so be it).

and you encrypt one but not another? But a lot of user-personal information leaks from /home to /. For example, all of /var/log/journal/*/user-*.journal files have lots of personal identifying information and imho should be encrypted, if /home is encrypted.

Why use a second LUKS container? You can use the same LUKS container with several partitions or logical volumes inside.

I keep both disks unencrypted. My main concern is about re-installation. I would like to be able to reinstall the OS form time to time (major problems or new versions, doesn’t matter) but keep the /home disk unchanged, just add the disk (encrypted) as /home during the installation process. Do this is quite tricky if I want to have the /home disk un-encrypted automagically during boot process (so I just to have ot decrypt / disk).

Do you know where I can find documentation about it?

Over in AskUbuntu, we see a lot of forgotten-password, data-recovery, share-partition-with-another-OS, need-to-reinstall-without-overwriting-data and similar funky edge cases.

So a pre-installed LUKS layer, from my perspective, should be inert (no encryption) until activated by the user. I think you meant that, but I wanted to make it very clear.

I’m in favor of dropping the dependency: Most folks who show up in AskUbuntu don’t understand what LVM is nor why it’s there. They think that it’s something-to-do-with-encryption, which they checked the box for during install. After that, it’s just part of the magic. For these users, LVM gets in their way when they want to re-partition or re-install, especially our many dual-booters.

1 Like

I would like this to be an option, specially if it allows for easier handling of dual-boot systems (but still leaving the other options available, of course)

Also while we are on this topic I would also like to see an option in the installer to encrypt the home partition using fscrypt (native ext4 encryption) and swap. I’ve been using that method and it’s so seamless that I think it would be a good idea to implement an option for that in the installer.

2 Likes

I am not sure, what kind of documentation your are looking for. Personally, I like the documentation of Arch Linux, which shows several types of FDE, but is not really written for beginners.

But I see now, that your partitions are on two different disks. That is something I don’t have tried. In this case, you could either create two LUKS containers or use LUKS on LVM.

I’m doing some tests and eliminate LVM seems a good idea. I would like to see an option in the Ubiquity to use LUKS with EXT4, so I can set my primary drive as / formatted with EXT4+LUKS and my secondary drive as /home also formatted with EXT4+LUKS. BTW, EXT4+LUKS seems supported by GNOME Disks utility. I just would like to encrypt both my disks with a lot work, just basic configurations.

The problem with two LUKS containers is link them so I can insert the passphare just once during boot.

For this cycle I will use unencrypted drives again (it’s a laptop but I don’t travel with it). I will try the solution developed on the next cycle.

I also recommend considerate about fscrypt. May be if GRUB has support for it would be able to encrypt all the disk (no separate /boot partition).

Also I strongly advise agains a separate partition for swap. Swap as a file is a pretty neat solution right now so would be cleaner if it uses it also with encryption (tosay with LVM a separate partition is created).

When you have a solution please let us know so I can test it.