UC20 custom partition encryption

Hi All,

In standard UC20 FDE feature (UC20 full-disk-encryption hook interface), key/passphrase creation for disk encryption managed by Core snapd. For our custom requirement, We would like to use our own passphrase for partition (Eg: SD card) encryption and planning to use custom snap for this purpose.

We are evaluating custom snap with ubuntu-data (/writable) partition. As system-data partition is mandatory during UC20 boot, we are not able to avoid “writable” partition from mount. If writable partition is mounted, apparmor denies the unmount and not finding suitable interface to allow unmount.

Is it ok to use custom snap with dm-crypt for ubuntu-data partition? or any alternate approach can be followed to meet the requirement?

There is a mount-control interface in the works that would allow a snap to mount a partition into $SNAP_DATA/<mountpoint> from where you could share it via a content-interface with other snaps … if you then combine the upcoming mount-control interface and the recently added dm-crypt interface, you should be able to mount encrypted SD cards this way

the writable partition is actually the lowest layer of your root filesystem, system-data is a directory on that writable partition. the assembly of the actual root filesystem based on /writable/system-data and the respective core20 snap that provides all binary readonly data for that rootfs happens from the kernels initramfs. if the kernel would allow you to unmount a part of your rootfs from a snap the system will eventually crash because half of your OS is gone …


Thanks for your input. We will try mount-control interface. We tried custom disk encryption on ubuntu-save ( system-save) partition using custom snap. It works.

Is that means, we have to opt for standard FDE feature for writable (system-data) partition? Custom disk encryption may not be feasible on writable partition?

FDE is implemented in the install mode that runs on first boot for creating the writable partition, encrypting it and storing the key in a protected TPM …

this bit lives in snapd AFAIK …

decryption during boot happens from code in the initramfs … if you want to implement something custom you’d have to modify these code bits i guess …

also, for obvious security reasons FDE is currently only supported together with secure-boot …


Thanks for your suggestion.

As part of testing disk encryption on ubuntu-save partition, I was mounting partition to /media from custom snap application. Was also checking on bind mount option to remount ubuntu-save into /var/lib/snapd/save.

But observed apparmor denial errors. (cannot remount read-write; is write protected). Even not able to bind mount as read only on /var/lib/snapd/save. Is this expected?

For our custom requirement, I am customizing the FDE hook - Instead of OPTEE based encryption, planning to use custom encryption with key. For initial testing, keeping a key in a file in ubuntu-seed partition. But when FDE hook (fde-setup) tries to retrieve/read the key from file, file open/read fails with permission denied error. Whether file read is not permitted in uc20 install mode?

Note: FDE hooks (fde-reveal-key) able to access same file in uc20 run mode.