XPS 13 9370 Ubuntu full disk encryption

I am answering to myself.

From what I have understood the best solution would be to boot from Dell Recovery Ubuntu USB key created and select 'Erase disk and install Ubuntu' + Encrypt... + LVM...
But this would mean loosing the Dell recovery partition.

If someone has a better idea, feel free to post.

Hey there,

it seems we're in the same boat. I received my XPS 13 9370 dev edition last wednesday, and the lack of out of the box full disk encryption is giving me huge headaches. Already spent 3 evenings over this stuff.

• So the machine comes without home or root partition encryption
• I created the recovery USB stick and booted into that (mashing F12 during boot logo screen)
• The default option just goes back to square one, unencrypted default install
• I went with the "erase disk and install ubuntu", then picked the option to create an encrypted disk, chose a password and installed
• The problem is: The encryption passphrase is not recognized. It's not keyboard layout problems or something like this, I reinstalled numerous times, a passphrase "abcd" does not get recognized either

I then went on to try to set up the partitions manually, but failed at this - there seems to be some intricate steps to it that I'm not aware of. For me, after setting up what I considered reasonable (basically alotted all 2 GB of disk space unencrypted ext4 for /boot, the rest to an encrypted disk, put in most of it as / and the rest as Swap) the installer straight out crashed. This whole config screen is aggravatingly hard to operate since it's super tiny on my 4k laptop screen and it seems you cannot revert a wrong step, you have to reboot and start from scratch. I found this guide on setting up FDE manually, but it seems extremely cumbersome.

On the default factory install I do not see the option to encrypt home either by the way, from what I've read this has been removed in favor of Luks FDE in Ubuntu 18.04.

So as far as I can tell there is zero disk encryption available on the developer edition Ubuntu without some serious hacking, which I really wish I was told before buying it. I was hoping to get some actual functional OS when buying it as a pre-installed and supported operating system.

@Christophe14 Did you make any progress on this? 

Hi

In fact, as I am not a Linux expert, I wanted to have feedback before performing any trial.

From what I have investigated so far :

There is a bug in home encryption. This explains why it has been removed from Ubuntu 18.04 installer.
https://www.linuxuprising.com/2018/04/how-to-encrypt-home-folder-in-ubuntu.html
https://askubuntu.com/questions/1029249/how-to-encrypt-home-on-ubuntu-18-04
In fact, there were 2 bugs and one has been fixed.

There is also an issue regarding keyboard layout for full disk encryption password.
https://blog.mgor.net/2018/05/20/ubuntu-18-04-bad-password-when-trying-to-unlock-luks-encrypted-device/
https://askubuntu.com/questions/1031302/ubuntu-with-full-disk-encryption-bad-password-after-upgrade-to-18-04/1031915#1031915

That could explain your password issue encountered for full disk encryption.
Do you have a QWERTY keyboard ?

Finally, you mentioned you have created a recovery USB stick.
How did you create it ?
I have created a Dell Recovery Media when it was proposed during first Ubuntu installation.
When booting from it, it is not a standard Ubuntu setup configuration.
It proposes either to Restore entire hard drive or to Restore only Linux OS partition.
If you had the same choice, what did you choose to have "erase disk and install ubuntu" option ?

Hi,

OK. I will perform some tests next week and share the results.

Thanks.

So, here's to another attempt at re-installing from the recovery USB with encryption.

I still am not able to unlock using the password I set, but I decided to have a look at the partition scheme installed so booted into the recovery USB, quit the installer and launched the "Disks" utility.

The disc has 3 partitions:

• nvme0n1p1 - EFI System, FAT 32 bit (537 MB)
• nvme0n1p2 - Linux Filesystem, Ext4 (supposedly /boot) (768MB)

The rest of the disk is taken by the encrypted volume. I noticed I can actually unlock the LUKS volume. I tried that with my chosen password and actually that worked, so it must be some misconfiguration of the password prompt on boot. After unlocking I see the "Linux Filesystem" LUKS Encryption version 1 volume.

I wonder if some adjustment to the boot password prompt config would fix this

Damned, I am facing the same issue !

As I have a French keyboard on the XPS 13, the passphrase created is 'eeeee' (with Dell Recovery Media USB key).
But it is not recognized at boot. So I agree the issue is not coming from layout keyboard (e is at the same position for French or USB keyboard).
I was also able to boot from Linux Mint live disk and able to unlock or change the passphrase.
So the passphrase created is correct.

Any idea ?

I have successfully created a working passphrase using the standard Ubuntu 18.04.1 Live installation process.

The passphrase "eeeee" is recognized. I was also able to change the passphrase on the AZERTY keyboard.

So, it means Dell Recovery Ubuntu iso file has a bug with full encryption feature.

Any idea to workaround the issue ?

Is there a way to create a passphrase with standard Ubuntu 18.04.1 and to reinstall on top Dell Ubuntu 18.04 for XPS 13 9370 ?

For the moment, the standard option for Dell Recovery Ubuntu is to erase and reinstall, meaning I will probably loose the working passphrase.

Ah, great find, thanks for trying it out with vanilla Ubuntu.

I also tried this out and it worked for me as well.

However, I was wondering about the cusomizations that the dell distro has, so I took a snapshot of the /etc directory and installed packages between Dell XPS13 recovery-installed Ubuntu against a vanilla Ubuntu 18.04.1

On thing that I noticed is that the XPS13-Ubuntu identifies as 18.04 in /etc/issue.net, while vanilla Ubuntu shows 18.04.1 - this is awkward since Dell policy seems to be to only update Ubuntu LTS when the .1 release is shipped - why does it then ship with non-18.04.1 out of the box?

I also had a look at the custom package sources configured (in /etc/apt/sources.list.d) and the differences in installed apt packages. There is a bunch of dell-* packages installed on the dell system that are not available on the dell Apt Repo, which is very awkward, where do these packages come from and how would they get updated?

So far, the system with vanilla Ubuntu seems to be running well, so I'll probably go with that for now.

It would still be nice for someone from Dell maybe chime in here and comment on the bug and whether it will be fixed, I think this issue is pretty severe.

Hi,

I fully agree, this is a major issue that has to be fixed.
Anyway, installing standard Ubuntu 18.04.1 is not an acceptable solution as we don't get the Dell specific updates/fixes for XPS 13 9370.

How can we progress on this ?

Shall we post a bug report in https://launchpad.net/dell-sputnik ?

Thanking you in advance.

@Christophe14 Yeah, it seems posting a bug there is a good idea, it certainly seems more likely that we'll get some feedback than here :) If you have the time please do so, otherwise I'll try to do it over the weekend. Thanks!

Hi,

A bug report "XPS 13 9370 full disk encryption not working on Dell Recovery Media" has been created at https://bugs.launchpad.net/dell-sputnik/+bug/1801598.

Hoping Dell will support us.

Kind regards,

Christophe

Hi all,

This was brought to my attention today and I took a few moments to try to debug what's going on.  I believe it's because of an issue in detecting LVM in dell-recovery's post ubiquity command.

This commit to dell-recovery should fix it.

https://github.com/dell/dell-recovery/commit/04cd77ca904f13bbac145366377af6c7975f9837

To test it you of course will need to modify your USB disk image.  I've tagged a new dell-recovery release and you should be able to include it in your USB disk image.

You can download the .deb file from: https://github.com/dell/dell-recovery/releases/download/1.60/dell-recovery_1.60_all.deb

And save it on your USB recovery disk in the directory debs/main.

Then perform your installation again and I believe it should fix the problem.

Longer term we'll have to respin factory images to get this type of fix included in the factory but it should help anyone in the interim.

Hi Mario,

Thank you for your investigations !

Did I understand correctly that we need to copy a new file "dell-recovery_1.60_all.deb" in debs/main located in USB recovery disk ? No previous version of this file is present.
If so, sorry for the basic question but how can I copy the file "dell-recovery_1.60_all.deb" into a read only USB key ?

Thanks in advance.

Kind regards,

Christophe