From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pierre Neidhardt Subject: Unencrypted boot with encrypted root Date: Thu, 02 Apr 2020 10:59:30 +0200 Message-ID: <87ftdmi7pp.fsf@ambrevar.xyz> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:47675) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJvhI-0001FL-AQ for guix-devel@gnu.org; Thu, 02 Apr 2020 04:59:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJvhG-0006xM-L4 for guix-devel@gnu.org; Thu, 02 Apr 2020 04:59:35 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:45665) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jJvhG-0006wm-Es for guix-devel@gnu.org; Thu, 02 Apr 2020 04:59:34 -0400 Received: from mimimi (moi44-1-78-199-129-170.fbx.proxad.net [78.199.129.170]) (Authenticated sender: mail@ambrevar.xyz) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 1796F60016 for ; Thu, 2 Apr 2020 08:59:31 +0000 (UTC) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi! I've followed the doc / template to set up an encrypted system on my laptop: =2D-8<---------------cut here---------------start------------->8--- (mapped-devices (list (mapped-device (source (uuid "12345678-1234-1234-1234-123456789abc")) (target "my-root") (type luks-device-mapping)))) (file-systems (append (list (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4") (dependencies mapped-devices)) (file-system (device (uuid "1234-ABCD" 'fat)) (mount-point "/boot/efi") (type "vfat"))) %base-file-systems)) =2D-8<---------------cut here---------------end--------------->8--- Problem is, I get prompted for the LUKS password twice: once before GRUB starts and once when booting an OS entry. This is rather annoying (and quite slow by the way, it takes some 10-20 seconds) and probably not too useful. Is it possible to prompt for the password only once? I suppose that one way to do this is to make /boot a separate file system beside /boot/efi. All in all, the configuration would look like this: =2D-8<---------------cut here---------------start------------->8--- (mapped-devices (list (mapped-device (source (uuid "12345678-1234-1234-1234-123456789abc")) (target "my-root") (type luks-device-mapping)))) (file-systems (append (list (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4") (dependencies mapped-devices)) (file-system (device (file-system-lavel "boot") (mount-point "/boot") (type "ext4")) (file-system (device (uuid "1234-ABCD" 'fat)) (mount-point "/boot/efi") (type "vfat"))) %base-file-systems)) =2D-8<---------------cut here---------------end--------------->8--- We should probably update the doc and templates to explain this subtlety, since mistakes in the partition design are hard to recover after the fact :) Insights? =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl6FqXIACgkQm9z0l6S7 zH+pNAf/aOxQNC4n+xwMuVM8355RXuB1B+9q9ng25LcscN91r2xlvPxOqJCJeh6u rtQOoPGMUI9ijW4pYZeuT9k3noe5Fi/d2VZyrLChoNj2uoaUYRPfTJU2K7TuMgnS QzdBriamV+BGW7zXO7zXLR0rb5zXOlg/mT2k88YdwGR3A37uKyph+jqmiuFhME3K mJReh8BAQumzklECxrnd22SLQHuSPNTeSrHwjgLURgddaseX0IGETZ57V2LSlTSz guMNhYhNdFFU3yXLp1ukMiW4KDv/eELxGSee//PG/1BbvvJ0z1X9EydBLcYZYFf+ ABS7pP7YUebOKR98ElOA6zhPERL1AA== =lhCW -----END PGP SIGNATURE----- --=-=-=--