------- Comment From [email protected] 2018-09-05 03:53 EDT------- Addl. information You cannot encrypt the boot partition. -- After all, there must be code to open an encrypted partition You can encrypt the root partition in order to do so the code in boot partition must open the boot partition i.e., the initrd or initramfs contains code to issue the cryptsetup open/luksOpen commands for the root partition before the chroot command with LUKS/LUKS2 you must provide a pass phrase - on PCs that is asked for interactively (possibly derived from the password) -- somehow Canonical does this with their Ubuntu distributions today with protected keys crypto (PAES) - you need not protect a pass phrase. With dm-crypt plain mode you can use a secure key stored somewhere in the initrd/initramfs or with LUKS2 you can simply store the pass phrase in a file in the initrd/initramfs because the security of the disk key is protected by the HSM (CryptoExpress card) and does not depend on being wrapped by a secret pass phrase. Note, before a system tries to use PAES it should verify that a CCA coprocessor (CEXnC adapter) is available.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766865 Title: [18.10 FEAT] Installer support for protected key dm-crypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1766865/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
