Thanks so much, Chiraag_Nataraj.
I think there is some LVM setup capability in the Calamares installer. I will look into this further when I get a chance.
Yes. Major speed issues with LUKS.
My 7000 MB/s drive craps out at 900 MB/s with LUKS. All the NVMe advantage goes to trash. Could have gotten those speeds with SATA.
Iām wondering if I use an unencrypted Ubuntu install with a BIOS-set HDD password on a Samsung 980 Pro actually encrypts the drive properly. If so that would probably be much better performance.
I read your last comments a little confused. I encrypted root and I am booting way quicker than 20 seconds until login screen, more like 2-4, at most. I donāt think your speed problems are as black and white as encryption yes/no. Thereās something else cooking.
3 Likes
Hi, sorry to be waking up an old post, but the frame.work support team pointed me here.
I am installing Jammy Jellyfish Ubuntu 22.04 on a frame.work 13" chassis and I wish to engage LUKS encryption. The stock installer allows for this, but after USB install complete and booting from SSD the laptop asks for the decryption password each and every time. I wish to automate this and also make use of the inbuilt TPM2 chip to hold the appropriate secret. Do you have a detailed set of instructions on how to engage LUKS on a 13" chassis with Intel Gen11 mobo making use of the TPM2 capabilities? I want a system as easy and transparent as BitLocker while still providing storage encryption. ChatGPT says this is a tricky and delicate process and may change depending on the specific models of firmware and hardware involved, so I wish to hear this from you first. Iāll also check on the community forums for driver pack install (once I can actually get a shell coming up after putting the LUKS issue to bed that is).
Right now Iām dead in the water because the very password I used when the installer asked for (and wrote it down carefully in my secure vault and retyped at SSD boot time) is rejected and ultimately does not work. My next step is likely to boot from the stock installer USB stick and somehow get into a manual root shell and skip the install step, so Iām running entirely from the USB (not quite sure how to do this), and then work some kind of magic to either reset the LUKS password or manually unlock it as rootā¦
I should also note that the CAPS lock light does not toggle on my stock keyboard so I tried entering my password, and when it failed pressed the CAPS lock sight unseen and retried the same password
Any next steps? I tried my ChatGPT but I think this sequence is too detailed and Iām bound to do something wrong by following less informed directions.
Thanks.
Not an expert but Iām myself using disk encryption with TPM unlock on Ubuntu: some word might not be 100% accurate.
Ahā¦ chatgptā¦ Not sure where that info came fromā¦
The only part firmware specific is probably settings up Secure Boot with a custom new key. I have a FW 13 AMD and adding a db key was pretty easy compared to my experience with bios/uefi setting in other laptops. I think uefi setting are a little different in FW13 Intel 11th but shouldnāt be too hard to find the right options. Worst case scenario you need to use EFI key tool(see the link below).
You want secure boot enabled to validate your boot components because donāt want someone who has stolen your device to boot an altered boot stack to get your TPM secret.
Moreover you have to decide under which conditions the TPM secret can be obtained. You have to choose a set of PCR. Depending on your choice you may have to enter your password during boot after a kernel upgrade or after a firmware upgrade. So you still need a password.
Using TPM2 unlock on Ubuntu 22.04 is possibile. I use it on Ubuntu 23.10 and PopOS 22.04. Still itās harder than it is on other distros. Fedora for example ships some more modern version of some tools (systemd-cryptenroll & co.) and Iāve noticed that guide for fedora are shorter than those for debian/Ubuntu.
I hope that the upcoming Ubuntu 24.04 version will make stuff easier. Havenāt check yet.
On this forum this thread is for fedora:
For debian/Ubuntu this is the way:
https://blastrock.github.io/fde-tpm-sb.html
Both links also covers encrypted hibernation. If you donāt feel like compiling the kernel and you donāt care about hibernation skip that part
I havenāt fully understood the situation. Were you installing or have you already installed Ubuntu 22.04?
To diagnose boot/LUKS/disk-related issues a good idea is to boot a live iso from usb. This way you have a full system available. In the initramfs the diagnostic tools are limited.
If you donāt use US keyboard beware of using the correct keyboard layout when you enter your password.
Thanks very much for the replies. I started with a completely empty SSD, this is a brand new system Iām setting up.
I may try re-installing from scratch since even with entering the password twice I might have made a keying error.
I am using a typical US keyboard.
Can I use the Ubuntu install ISO as a ālive bootā product and boot into the key instead of doing an installation?
I will never be using hibernation or suspension since the purpose of this sytem is to be an always-on crypto miner / validator (I could be docked if the machine is offline).
Iāll do more research to determine the appropriate PCR settings.
Update : After some consideration, I have decided this is much too volatile a setup for my home server. I will forego disk encryption entirely. I yearn for a solution as easy to engage / disengage as Windows BitLocker. Too many opportunities to cause huge damage if I get something little wrong - I see this whole subsystem as very brittle, especially for those who donāt have decades of experience. This server will be operating on mission-critical data but I lack the confidence to move forwards with disk encryption. Thanks to all who responded.
I use it on Fedora, I do not use it on Ubuntu myself. LUKS in and of itself, is fine and reliable.
I know this is an old thread, but just throwing in that luks works fine on the Framework 16. No reason for it not to.
In my particular case, I have standard EFI partition, and a few unencrypted boot partitions for various OSā, then a massive LUKs encrypted btrfs formatted partition for the rest of the drive, which currently contains Fedora 39, Ubuntu 22.04, and Arch Linux all installed under their own designated subvolumes. This way all three OSs are unlocked with the same luks password and space isnāt wasted.