Chris Marusich writes: > ludo@gnu.org (Ludovic Courtès) writes: > >> Chris Marusich skribis: >> >>> Is anyone actively working on documenting the new encrypted root stuff? >>> If not, I'm happy to try my hand at it. I'm interested in trying to set >>> it up on my laptop, anyway. >> >> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72. >> >> Please send a patch if you think of improvements that can be made. > > I'm happy to report that I was successful in setting up an encrypted > root file system on my Libreboot laptop. I have to enter the passphrase > twice, but that's no different from the normal case (without Libreboot). > It took me multiple days to get it working, though, because each time I > tried to run "guix system init", it took over 8 hours to finish! > > This is really good! Thank you for adding this feature. As a bonus, I realized that one could use this feature to encrypt swap, also. You can encrypt your swap area by using a swap file in the root file system. Specifically, if you do something like this... # Make the file readable/writable only by root. sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240 sudo chmod 600 /swapfile sudo mkswap --label swap /swapfile and then you add a single line to your operating system configuration file like this... (swap-devices '("/swapfile")) then your swap file will be automatically mounted during boot. You don't even have to enter your LUKS passphrase an additional time. I was pleasantly surprised to find out that encrypted swap was this easy! -- Chris