[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Unencrypted boot with encrypted root
From: |
Pierre Neidhardt |
Subject: |
Unencrypted boot with encrypted root |
Date: |
Thu, 02 Apr 2020 10:59:30 +0200 |
Hi!
I've followed the doc / template to set up an encrypted system on my
laptop:
--8<---------------cut here---------------start------------->8---
(mapped-devices
(list (mapped-device
(source (uuid "12345678-1234-1234-1234-123456789abc"))
(target "my-root")
(type luks-device-mapping))))
(file-systems (append
(list (file-system
(device (file-system-label "my-root"))
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
(file-system
(device (uuid "1234-ABCD" 'fat))
(mount-point "/boot/efi")
(type "vfat")))
%base-file-systems))
--8<---------------cut here---------------end--------------->8---
Problem is, I get prompted for the LUKS password twice: once before GRUB
starts and once when booting an OS entry.
This is rather annoying (and quite slow by the way, it takes some 10-20
seconds) and probably not too useful.
Is it possible to prompt for the password only once?
I suppose that one way to do this is to make /boot a separate file
system beside /boot/efi.
All in all, the configuration would look like this:
--8<---------------cut here---------------start------------->8---
(mapped-devices
(list (mapped-device
(source (uuid "12345678-1234-1234-1234-123456789abc"))
(target "my-root")
(type luks-device-mapping))))
(file-systems (append
(list (file-system
(device (file-system-label "my-root"))
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
(file-system
(device (file-system-lavel "boot")
(mount-point "/boot")
(type "ext4"))
(file-system
(device (uuid "1234-ABCD" 'fat))
(mount-point "/boot/efi")
(type "vfat")))
%base-file-systems))
--8<---------------cut here---------------end--------------->8---
We should probably update the doc and templates to explain this
subtlety, since mistakes in the partition design are hard to recover
after the fact :)
Insights?
--
Pierre Neidhardt
https://ambrevar.xyz/
signature.asc
Description: PGP signature