back to article Ubuntu's 'Mantic Minotaur' peeks out of the labyrinth

The next release of Ubuntu will appear in mid-October, and the latest daily builds reveal some of the features of the forthcoming interim release. Ubuntu 23.10 is codenamed Mantic Minotaur; the adjective means relating to prophecy or divination of the future, and we're sure you know what minotaurs are meant to be. The …

  1. Tom Chiverton 1 Silver badge

    "the disk remains unreadable if you boot the machine from a different drive or OS, such as a USB key"

    Isn't this fairly common in Linux-land, as opposed to on Windows, for everything from error recovery, hardware upgrades (just lift and shift the drive), to installing a new O/S version from a LiveCD ?

    How is this impacted ? There has to be a fallback, right ? Right ?

    1. Liam Proven (Written by Reg staff) Silver badge

      [Author here]

      > Isn't this fairly common in Linux-land,

      I am not sure what you mean. You are responding to a negative statement with a positive statement and I can't tell what you are asking.

      Isn't _what_ fairly common?

      Currently, without disk encryption, it is common to be able to move a disk from 1 PC to another and have it work, yes.

      Will this scheme prevent that? Yes. That is its purpose.

      Is there a way around it? No. That it its purpose: to prevent you extracting a disk from a machine and getting at the contents. This is not merely by design, it is the reason for doing it.

      Is there a fallback? No, not that I know of. Ask them.

      With the MS scheme it is possible, if you have the machine and it still works and if you have the keys and access to the MS cloud account that created it, to recover a locked disk, in the same machine. You can unlock it and get at the data, or even relock it again and carry on as before. I've done it.

      if you do not have the machine, no. If the motherboard failed, say, and you want to rescue the data... tough.

      What should be possible is to nuke the encrypted volume, and either recreate new volumes and install a new unencrypted OS, or create a fresh new encrypted disk, but losing all the old data.

    2. FIA Silver badge

      Isn't this fairly common in Linux-land, as opposed to on Windows, for everything from error recovery, hardware upgrades (just lift and shift the drive), to installing a new O/S version from a LiveCD ?

      It's common in Windows land too. (Boot the Windows install CD, Shift-F10 for a command prompt...)

      How is this impacted ?

      This prevents you doing that.

      There has to be a fallback, right ? Right ?

      On Windows you can create a backup of the key, which is a text file containing a code you type in to unlock the drive. If you don't have this or equivalent then you can't access the drive.

      Full disk encryption is for people who don't want their data to be lost in the event of the machine being stolen or cloned, the idea is that you explicitly can't just boot of a recovery CD to access the data.

      If that's an issue, don't encrypt your drive.

      This is the reason my home PC drives aren't encrypted, but my works laptop is. My home stuff it's more important for me to be able to access the data on my hard disc, whereas with the laptop it's far far more important that the data on there isn't accessible by a third party. If the laptop is stolen I'll just get a new one with the standard image, download stuff I need to work and carry on. All the important data is sorted elsewhere.

    3. Phones Sheridan Silver badge

      “ There has to be a fallback, right ?”

      Er, backups?

    4. Dr Dan Holdsworth
      Boffin

      The short answer to this is simple: backups.

      Your machine's hardware has failed? Easy, restore it from your backups. You don't have any backups? Oh dear.

    5. phuzz Silver badge

      If Ubuntu's new encryption system is based on LUKS, then it would still be possible to unlock the disk in a different computer (or in a different OS) as long as you had the original recovery password somewhere.

      Even if they don't use LUKS, then I assume Ubuntu will still have some sort of 'recovery key' that you generate at install time, as that's how every other full-disk encryption does it.

  2. wirtualny_dood

    Non-interactive FDE is possible with linux

    Can't say for Ubuntu, but non-interactive FDE is possible with linux. At least on Fedora and RHEL you can use Clevis if a laptop/desktop is equipped with a TPM chip. The prompt for password is there, but the OS will fetch the password from TPM and unlock the drive after several seconds. Works like a charm for me ;)

    1. tapanit
      Linux

      Re: Non-interactive FDE is possible with linux

      It is also possible to set up non-interactive FDE simply by having the key on a USB stick. Of course it's less safe in case the stick is stolen along with the disk, but I think that's not significantly more likely than having the entire machine stolen. And the stick is easy to remove (or destroy) when discarding a disk.

      You can also set it up so that the operating system part isn't encrypted (or is decrypted via a USB stick as above, or with the TPM chip) but the data (like, images of VMs doing the real work) need to be decrypted via a remote connection (ssh or something). Some care is needed to make sure everything valuable is encrypted but still relatively easy way to get a useful level of protection.

  3. Gene Cash Silver badge

    What?

    Why the hell does a smart signboard (or similar IoT tat) need an encrypted disk? Is it a secret NSA drop point at night or something?

    1. Liam Proven (Written by Reg staff) Silver badge

      Re: What?

      [Author here]

      > Why the hell does a smart signboard (or similar IoT tat) need an encrypted disk?

      Let me give you an example. Not hypothetical but I can't reveal details.

      Let's say you have some smart signboards and they work by running a web browser full screen, and that web browser fetches pages from a web server.

      You have a choice to make.

      [1] You place the info it's to display on the public WWW; the signboard just fetches unencrypted content and shows it. Now, you have to know enough to lock down that server pretty tightly, but it doesn't matter much if the controlling computer is stolen. You risk loss of expensive equipment but not of server compromise.

      [2] You don't place the info on the public WWW. You lock it up behind some kind of private network or something. So now, your smart signboard has some kind of credentials to access that hidden content. Now you have a big problem if someone steals the computer. Your network is more secure and the clients are less valuable.

      [3] Or, of course, the smart displays are totally unsecured *and* the server is public *and* it's totally unsecured.

      Guess which happened in the real world. >_<

      There's also the issue of client devices updating themselves, and compromises in the update mechanism or channel -- to fight which, you want authentication, but that means credentials, and you want to protect the credentials...

      Anything that makes one of № 1 or № 2 easier, and thus prevents the need for № 3, is a net win, IMHO.

  4. keithpeter Silver badge
    Pint

    https://www.omgubuntu.co.uk/2023/09/ubuntu-23-10-minimal-mistake#comment-6272328990

    shyisc has nailed it based on fun memories of fighting apt-get back in the noughties.

    "Simple: Ship with broadly useful apps, but don't make those apps into a dependency of the system/desktop environment, so that there will be no problems uninstalling them."

    But then what do I know, I use Slackware (kitchen sink included :-)

    Mind you, I also like the idea of default minimal install but a 'first use wizard' (with icon/entry in menus for later use) that offers a set of sane desktop applications.

  5. bazza Silver badge
    Pint

    Yay, ZFS!

    A lovely fs.

    Still not sold on Wayland though. Or snap. Currently running an apt version of Firefox, direct from the horses mouth (so to speak).

    I've had no end of grief going from 20.04 (Nvidia drivers, everything working a treat) to 22.04 (nvidia drivers, suddenly it's all gone unstable!). It seems to have settled down now, but I was sorely vexed for quite a while.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like