From: Chris Marusich <cmmarusich@gmail.com>
To: Benjamin Slade <beoram@gmail.com>
Cc: help-guix@gnu.org
Subject: Re: LUKS-encrypted root and unencrypted /boot ?
Date: Thu, 02 Aug 2018 01:24:31 -0700 [thread overview]
Message-ID: <877el9ch1c.fsf@gmail.com> (raw)
In-Reply-To: <87in4tgbg4.fsf@jnanam.net> (Benjamin Slade's message of "Wed, 01 Aug 2018 12:59:23 -0600")
[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]
Benjamin Slade <beoram@gmail.com> writes:
> Doing a full LUKS-encryption on root, including /boot results in very
> slow unlocking at boot (about 30 secs even with --iter set to 1000). Is
> there any way to do an unencrypted /boot with an encrypted root?
At that stage, is it GRUB that is unlocking the encrypted volume? If
so, I think this is normal.
I don't know much about the details, but it seems GRUB's implementation
of the LUKS-related cryptographic algorithms is significantly slower
than the one used by Linux later in the boot process. Because you (I
presume) created the LUKS key using cryptsetup from within a running
GNU/Linux system, it probably ran the PBKDF2 algorithm for a short
period of time using the more performant algorithms, and in order for
GRUB to perform the same number of iterations, it takes longer.
For what it's worth, GRUB is slow in unlocking my encrypted volumes,
too. It takes about 30 seconds for me, too. If you're concerned, you
can try using cryptsetup's --iter-time option to lower the number of
iterations, but keep in mind that will also make it easier to crack your
passphrase.
Hope that helps!
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2018-08-02 8:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-01 18:59 LUKS-encrypted root and unencrypted /boot ? Benjamin Slade
2018-08-02 6:59 ` Clément Lassieur
2018-08-03 17:05 ` Benjamin Slade
2018-08-03 18:53 ` Clément Lassieur
2018-08-04 15:30 ` Benjamin Slade
2018-08-04 15:48 ` Clément Lassieur
2018-08-04 21:14 ` Benjamin Slade
2018-08-05 5:26 ` Chris Marusich
2018-08-02 8:24 ` Chris Marusich [this message]
2018-08-03 17:07 ` Benjamin Slade
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877el9ch1c.fsf@gmail.com \
--to=cmmarusich@gmail.com \
--cc=beoram@gmail.com \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.