Benjamin Slade writes: > Doing a full LUKS-encryption on root, including /boot results in very > slow unlocking at boot (about 30 secs even with --iter set to 1000). Is > there any way to do an unencrypted /boot with an encrypted root? At that stage, is it GRUB that is unlocking the encrypted volume? If so, I think this is normal. I don't know much about the details, but it seems GRUB's implementation of the LUKS-related cryptographic algorithms is significantly slower than the one used by Linux later in the boot process. Because you (I presume) created the LUKS key using cryptsetup from within a running GNU/Linux system, it probably ran the PBKDF2 algorithm for a short period of time using the more performant algorithms, and in order for GRUB to perform the same number of iterations, it takes longer. For what it's worth, GRUB is slow in unlocking my encrypted volumes, too. It takes about 30 seconds for me, too. If you're concerned, you can try using cryptsetup's --iter-time option to lower the number of iterations, but keep in mind that will also make it easier to crack your passphrase. Hope that helps! -- Chris