Hi Mathieu, Mathieu Othacehe <[email protected]> writes:
> Hey Maxim, > >> I think it would be good to have that as one option; but ideally I'd >> prefer if we had some auto-configuration in the installer for using a >> fully encrypted partition including /boot and /gnu/store that would use >> a secret key baked in the initrd, like what Tomas is doing, as I don't >> like to expose unencrypted boot files. >> >> It'd be nice to improve the code that GRUB uses to do the >> decryption... it's so slow that I dread the times I need rebooting my >> machine ^^'. > > Yes, I have also witnessed during Guix Days that some Guix System > laptops with full-disk encryption were taking ages to boot :) > > So this two-times password issue is one thing but fixing the super-slow > disk decryption in Grub is maybe even more important. Having a secret > in the initrd would only help for the first issue sadly. I think that's correct. > What would be your concern with unencrypted /boot? As long as the kernel > and the initramfs are generic they are not confidential I guess. Would > it be that someone could alter your boot partition when the laptop is > unattended? If yes, maybe we could consider to propose an official way > to setup a signed, unencrypted standalone EFI image, similar to what > Sören is doing[1]? I think the concern is opening up extra surface for attack (vulnerable to e.g. evil maid attacks). Having a way to setup some secure boot would mitigate it and be nice; encrypted /boot is still appealing to reduce the exposed surface as much as possible. -- Thanks, Maxim
