From mboxrd@z Thu Jan  1 00:00:00 1970
From: Benjamin Slade <beoram@gmail.com>
Subject: Re: LUKS-encrypted root and unencrypted /boot ?
Date: Fri, 03 Aug 2018 11:07:19 -0600
Message-ID: <878t5nfkfs.fsf@jnanam.net>
References: <87in4tgbg4.fsf@jnanam.net> <877el9ch1c.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59282)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <beoram@gmail.com>) id 1fldY2-00057X-NM
	for help-guix@gnu.org; Fri, 03 Aug 2018 13:07:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <beoram@gmail.com>) id 1fldXy-00062Z-NE
	for help-guix@gnu.org; Fri, 03 Aug 2018 13:07:30 -0400
Received: from mail-io0-x234.google.com ([2607:f8b0:4001:c06::234]:40105)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <beoram@gmail.com>) id 1fldXy-00062C-Gq
	for help-guix@gnu.org; Fri, 03 Aug 2018 13:07:26 -0400
Received: by mail-io0-x234.google.com with SMTP id l14-v6so5558868iob.7
	for <help-guix@gnu.org>; Fri, 03 Aug 2018 10:07:26 -0700 (PDT)
Received: from sindhu ([172.83.40.110]) by smtp.gmail.com with ESMTPSA id
	t187-v6sm2704038ita.28.2018.08.03.10.07.24 for <help-guix@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 03 Aug 2018 10:07:25 -0700 (PDT)
In-reply-to: <877el9ch1c.fsf@gmail.com>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: help-guix@gnu.org


On 2018-08-02T02:24:31-0600, Chris Marusich <cmmarusich@gmail.com> wrote:

 > > Doing a full LUKS-encryption on root, including /boot results in
 > > very slow unlocking at boot (about 30 secs even with --iter set to
 > > 1000). Is there any way to do an unencrypted /boot with an
 > > encrypted root?

 > At that stage, is it GRUB that is unlocking the encrypted volume?  If
 > so, I think this is normal.


 > For what it's worth, GRUB is slow in unlocking my encrypted volumes,
 > too.  It takes about 30 seconds for me, too.  If you're concerned,
 > you can try using cryptsetup's --iter-time option to lower the number
 > of iterations, but keep in mind that will also make it easier to
 > crack your passphrase.

Originally I had --iter set to '5000' and it took about 4 minutes to
unlock!  I've shifted to using an unencrypted root and an encrypted
/home as a compromise that boots faster (and only requests the password once).

--
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )