-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04.09.2012 15:48, "Roland Häder" wrote: > I think I made a (tollerateable) mistake: > > My hard drive has two partitions: - sda1 - encrypted swap - sda2 - > encrypted root > > How should it boot? One way could be by external media (e.g. > stick), other is from hard drive. But that is encrypted. So I must > leave a small area left for kernel, initrd, System.map and maybe > config. > > So the page at [1] is a little wrong because it misses the boot > partition, so the new layout should be: - sda1 - unencrypted boot > (/boot) partition - sda2 - encrypted swap (at least as double as > your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) > > Can someone update this? > > Regards, Roland > > [1]: http://wiki.gentoo.org/wiki/DM-Crypt >
In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRjxMAAoJEJwwOFaNFkYcWfcIAJvh9CxmlPeWTlJ8qMMb24tf 8tCVPo7FjnELrOqHwccqRceC1/1kIfjfYy0BowbRBOAV49WEIt3WWZhySVcS5PzH mh30OVZZ1Gb94QjwUSoKb+4FfULpM8oVp3kpaxf11Ls7SlJgRkW4hiSNmEWGt/2Q RRgTQpkFp7W6b1sWnbnKY491iCsL657G90UK7lKe3qe15u7V0E8bY2XvzJrPSf4E K3V0mpHunLWDMbr0lfoezbeOEuqSfRdUlgQWw3Q4iCKBxFX5hh9ac5T8cne4xUJ7 OKp6HAYE3sl8othQ+ngMNVyu/vX6j0dCtZHgPtAZEDU1pjE33rjiaLXm15aCVbU= =AG8l -----END PGP SIGNATURE-----
