guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unencrypted boot with encrypted root

From: Pierre Neidhardt
Subject: Unencrypted boot with encrypted root
Date: Thu, 02 Apr 2020 10:59:30 +0200 
Hi!

I've followed the doc / template to set up an encrypted system on my
laptop:

--8<---------------cut here---------------start------------->8---
  (mapped-devices
   (list (mapped-device
          (source (uuid "12345678-1234-1234-1234-123456789abc"))
          (target "my-root")
          (type luks-device-mapping))))

  (file-systems (append
                 (list (file-system
                         (device (file-system-label "my-root"))
                         (mount-point "/")
                         (type "ext4")
                         (dependencies mapped-devices))
                       (file-system
                         (device (uuid "1234-ABCD" 'fat))
                         (mount-point "/boot/efi")
                         (type "vfat")))
                 %base-file-systems))
--8<---------------cut here---------------end--------------->8---

Problem is, I get prompted for the LUKS password twice: once before GRUB
starts and once when booting an OS entry.

This is rather annoying (and quite slow by the way, it takes some 10-20
seconds) and probably not too useful.

Is it possible to prompt for the password only once?

I suppose that one way to do this is to make /boot a separate file
system beside /boot/efi.
All in all, the configuration would look like this:

--8<---------------cut here---------------start------------->8---
  (mapped-devices
   (list (mapped-device
          (source (uuid "12345678-1234-1234-1234-123456789abc"))
          (target "my-root")
          (type luks-device-mapping))))

  (file-systems (append
                 (list (file-system
                         (device (file-system-label "my-root"))
                         (mount-point "/")
                         (type "ext4")
                         (dependencies mapped-devices))
                       (file-system
                         (device (file-system-lavel "boot")
                         (mount-point "/boot")
                         (type "ext4"))
                       (file-system
                         (device (uuid "1234-ABCD" 'fat))
                         (mount-point "/boot/efi")
                         (type "vfat")))
                 %base-file-systems))
--8<---------------cut here---------------end--------------->8---

We should probably update the doc and templates to explain this
subtlety, since mistakes in the partition design are hard to recover
after the fact :)

Insights?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]