I have ubuntu installed with boot unecrypted and root encrypted. To get boot encrypted, I have created 4GB new boot partition encrypted and copied everything from first plain boot partition. For grub, I executed below things:
# echo 'GRUB_ENABLE_CRYPTODISK=y' >> /etc/default/grub
# apt-get install -y --reinstall grub-efi-amd64-signed
# update-initramfs -c -k all
# grub-install /dev/nvme0
# update-grub
File in plain boot partition grub.cfg (/boot/grub/grub.cfg) was edited for new entry for encrypted boot partition with UUID in search option :
search --no-floppy --fs-uuid --set=root <uuid of encrypted boot partition from blkid command>
Along with this, file has got in entry insmod cryptodisk and insmod lvm added.
As you can see, grub is still from unecrypted boot partition and it has to detect encrypted boot partition. I am not sure if this is possible.
Below are issues:
When booted, it gives error that EFI firmware secure boot forbids loading module from (hd0, gpt8). My partition is 9 for encrypted boot.
To circumvent the problem temporarily, I disabled secure boot. However, for the UUID configured in grub.cfg for encrypted boot partiton, grub gives error that no such device
It is not possible to figure out if grub can detect encrypted partition unless it recognises uuid of encrypted partition. What can be missing in this process to get the encrypted boot partition and to get rid of these errors.
Also, there is F12 key to get boot menu from bios firmware which also does not detect encrypted boot partition. What can be missing here? Partition is marked linux filesystem created as luks ext4 through disks gui utility on ubuntu.
I read few posts for this and couple of articles and one mention I found that grub currently supports luks2. Pls correct me if I am wrong. Ubuntu I have is 22.04 LTS
