Encrypted /boot install (Q&A format)


Hey I like the added security provided using LUKS2 encryption Lubuntu uses, can I have still have an encrypted /boot directory on a LUKS encrypted disk if I use Manual Partitioning to setup the partitions as I really want them.


Quoting Aaron Rainbolt here

All Ubuntu flavors use Canonical’s build of GRUB (naturally), and Canonical explicitly does not support /boot being located on an encrypted partition. It actually creates additional security risks to do so as Canonical doesn’t test the code that handles encrypted /boot.

Whilst in the bug report I’m quoting, Aaron gives a clue as to how this may be possible, however we do not recommend you have /boot on an encrypted partition, unless you use the ‘erase disk and install’ feature as we’ve setup.