LUKS without a boot partition

Question

I remember reading a blog entry that someone at Canonical was working on making LUKS work without a boot partition for 17.04. However when I did a fresh install of 17.10 I was unable to find anything. I know that it is possible to make grub handle LUKS encryption, and could probably hack it up myself, but does anyone know what happened to said work? I searched for a while and failed to find the blog entry.

Answer 1

Assuming you're running an EFI system, the EFI System Partition (usually the first partition on your disk, mounted at /boot/efi) will always need to be decrypted so that your system can actually load into GRUB.

However, you can now stick /boot itself inside LUKS. A guide for that is available in this answer on the site, however this has a few caveats:

• Every time you update your kernel/GRUB, you will need to "re-install" it on your system, and make sure things recognize it. As far as I can tell, there's no automated hook.
• GRUB won't be taking over LUKS entirely. If I remember correctly, it'll prompt for the password and go from there, but it will not replace LUKS.
• This setup, as far as I can tell, has a very decent potential to break in potentially amazing ways.

To be honest, there's little to no reason to actually stick /boot inside of LUKS. It just causes quite a bit of unnecessary pain and makes one's life much worse for not too much of a gain. The main risk (tampering with the kernel) can easily be mitigated by using Secure Boot to sign the kernel and any modules. If you want to run this digital signature enforcement, please read through the entire wiki page linked.