Hey Maxim,
> I think it would be good to have that as one option; but ideally I'd > prefer if we had some auto-configuration in the installer for using a > fully encrypted partition including /boot and /gnu/store that would use > a secret key baked in the initrd, like what Tomas is doing, as I don't > like to expose unencrypted boot files. > > It'd be nice to improve the code that GRUB uses to do the > decryption... it's so slow that I dread the times I need rebooting my > machine ^^'. Yes, I have also witnessed during Guix Days that some Guix System laptops with full-disk encryption were taking ages to boot :) So this two-times password issue is one thing but fixing the super-slow disk decryption in Grub is maybe even more important. Having a secret in the initrd would only help for the first issue sadly. What would be your concern with unencrypted /boot? As long as the kernel and the initramfs are generic they are not confidential I guess. Would it be that someone could alter your boot partition when the laptop is unattended? If yes, maybe we could consider to propose an official way to setup a signed, unencrypted standalone EFI image, similar to what Sören is doing[1]? Thanks, Mathieu [1]: https://lists.gnu.org/archive/html/guix-devel/2026-02/msg00141.html
