From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: LUKS-encrypted root and unencrypted /boot ? Date: Thu, 02 Aug 2018 01:24:31 -0700 Message-ID: <877el9ch1c.fsf@gmail.com> References: <87in4tgbg4.fsf@jnanam.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36934) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fl8uZ-00086E-2Q for help-guix@gnu.org; Thu, 02 Aug 2018 04:24:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fl8uV-0001yl-2H for help-guix@gnu.org; Thu, 02 Aug 2018 04:24:43 -0400 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:33637) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fl8uU-0001yX-Rk for help-guix@gnu.org; Thu, 02 Aug 2018 04:24:38 -0400 Received: by mail-pf1-x42e.google.com with SMTP id d4-v6so887654pfn.0 for ; Thu, 02 Aug 2018 01:24:38 -0700 (PDT) In-Reply-To: <87in4tgbg4.fsf@jnanam.net> (Benjamin Slade's message of "Wed, 01 Aug 2018 12:59:23 -0600") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Benjamin Slade Cc: help-guix@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Benjamin Slade writes: > Doing a full LUKS-encryption on root, including /boot results in very > slow unlocking at boot (about 30 secs even with --iter set to 1000). Is > there any way to do an unencrypted /boot with an encrypted root? At that stage, is it GRUB that is unlocking the encrypted volume? If so, I think this is normal. I don't know much about the details, but it seems GRUB's implementation of the LUKS-related cryptographic algorithms is significantly slower than the one used by Linux later in the boot process. Because you (I presume) created the LUKS key using cryptsetup from within a running GNU/Linux system, it probably ran the PBKDF2 algorithm for a short period of time using the more performant algorithms, and in order for GRUB to perform the same number of iterations, it takes longer. For what it's worth, GRUB is slow in unlocking my encrypted volumes, too. It takes about 30 seconds for me, too. If you're concerned, you can try using cryptsetup's --iter-time option to lower the number of iterations, but keep in mind that will also make it easier to crack your passphrase. Hope that helps! =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAltiv78ACgkQ3UCaFdgi Rp36/w/+OVtRcfUSyvPLyIAZYb8NxSlSLRCzqkROVwSXUPKF8z435bUPqxUIMDOz P3U2wOIndWIf1+pntVlENg6bmKm9YCnsF3Y3GHcUK/niGuoY0dqtKr6GZRIjTx3j 1cTT4V7DTl/F9v2MAk5ZBiQ6v4ldXJW6iDt7GoWY2tqIEeQ76iYKBemBI+Ub8kBJ s+JHZVEwzPvL+1BEOO1yUg9XLoBtJ9809WbsSvUXUlAZfdIyf+xXbTfo+qd1wNdv IAhxqbvJIRofOKv8DegbJ6vL+riaCZh7Hn9/d7XxDU4QO3WBaEqtHgCuBklCAhWP qBTrRwAzNYE0FBaR8r2OhzzHDwJ6sjUvhsDE86ScWeEKHf3peHwDDYgdG0rKlRkV EH5prCDPYtkkT5QCZBS47/Cogq0Fx0/oXIpUJjrIjBOpLE8kfRS+O+p58gdhj8QE Y4VAt46JULfkzkSW/NLvTpKEqgX7G/aSjOz18tjPEpgCzLQtUYE4vo5Y/YFhnTBP yKFSWT4EDelhoS39hwSr8wKgC47sq6CIiHzidsu2USGP1MJt9203VoWMeRpPcsVa mHZSsrpuOh6+egcr0WASQIImtravhEDnadaJEMhdESCNjzoDMZoU1WPbj9Jeo/2x TK0HLP+OI9lbK5kuKjjvcYn5NUZUfedUuKHR/Z5taLxfMerKFS4= =JW/e -----END PGP SIGNATURE----- --=-=-=--