Rutherther <[email protected]> writes: > Hi Tomas, > > Tomas Volf <[email protected]> writes: > >> Mathieu Othacehe <[email protected]> writes: >> >> >>> Two alternatives come to my mind: >>> >>> 1. Make sure that all the kernels/initramfs of the live generations have >>> a copy in /boot. >> >> My understanding is that you need to enter the password twice due to: >> >> 1. GRUB needs to access its configuration <-- Password #1 > > This is not accurate. That's just one part, the configuration. But apart > from the GRUB's configuration you also need the kernel and initrd so > that GRUB can actually boot into the system. > > Even if /boot is on an unencrypted partition right now, you still need > to type this password. You need both /gnu/store and /boot on an > unencrypted partition to not have to type it. > >> 2. GRUB shows the menu and starts the boot process >> 3. The initrd is loaded >> 4. The initrd needs to pivot to the real root <-- Password #2 >> >> So I admit I am unsure what having a copy directly in /boot solves. > > It solves the situation where /boot is unencrypted, but /gnu/store is > encrypted. In this case, you will not need to unlock the partition with > /gnu/store when you copy the kernel and initrd over. > > It's for example what NixOS is doing.
I see. Since the original question was about full disk encryption, I did not expect non-encrypted /boot to be an option. Sure, in that case the copy would help. I just hope the copy will be optional, and encrypted /boot will stay a possibility. > >> GRUB already has access to /gnu/store after you unlock the root for the >> first time. >> -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
