Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-04 Thread Chris Marusich
Benjamin Slade writes: > I mused briefly about mirroring of the relevant things (kernels, initrd) > from /gnu/store to /boot, but that's probably pretty hack-y. The parts of GuixSD which require maintaining state outside of the store tend to be a little complicated (in my opinion) because they

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-04 Thread Benjamin Slade
> > Thanks, I'll look into that. For the moment I've just switched to > > having an unencrypted root and encrypted /home partition (where the > > swapfile also lives), > > ...which seems to me better from a security standpoint (I can > > use --iter 500, sha512, without an issue). > But

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-04 Thread Clément Lassieur
Benjamin Slade writes: > Thanks, Clément. You're welcome! > > > > Do you use Libreboot? > > > > > > Yes, I'm using Libreboot. Does this make a great difference over the > > > manufacturer firmware in this case? > > > It might, because the GRUB used is the one shipped with Libreboot. > >

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-04 Thread Benjamin Slade
Thanks, Clément. > > > Do you use Libreboot? > > > > Yes, I'm using Libreboot. Does this make a great difference over the > > manufacturer firmware in this case? > It might, because the GRUB used is the one shipped with Libreboot. > So it has nothing to do with Guix. I think talking to

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-03 Thread Clément Lassieur
Benjamin Slade writes: > > Do you use Libreboot? > > Yes, I'm using Libreboot. Does this make a great difference over the > manufacturer firmware in this case? It might, because the GRUB used is the one shipped with Libreboot. So it has nothing to do with Guix. I think talking to the

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-03 Thread Benjamin Slade
On 2018-08-02T02:24:31-0600, Chris Marusich wrote: > > Doing a full LUKS-encryption on root, including /boot results in > > very slow unlocking at boot (about 30 secs even with --iter set to > > 1000). Is there any way to do an unencrypted /boot with an > > encrypted root? > At that

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-03 Thread Benjamin Slade
> Do you use Libreboot? Yes, I'm using Libreboot. Does this make a great difference over the manufacturer firmware in this case? > I'm unsure [using an unencrypted /boot] would help, because GRUB > would still have to unencrypt / to access the kernel (the kernel is > in /gnu/store). Ah, I

Re: LUKS-encrypted root and unencrypted /boot ?

2018-08-02 Thread Chris Marusich
Benjamin Slade writes: > Doing a full LUKS-encryption on root, including /boot results in very > slow unlocking at boot (about 30 secs even with --iter set to 1000). Is > there any way to do an unencrypted /boot with an encrypted root? At that stage, is it GRUB that is unlocking the encrypted

LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0

2016-12-30 Thread Ludovic Courtès
Hello! Eddie Baxter skribis: > I have attempted to install GuixSD on an encrypted root using LUKS, after > reading the release notes for 0.12.0 that implies this should now work - My > config.scm is linked: > >