From mboxrd@z Thu Jan 1 00:00:00 1970 From: Fredrik Salomonsson Subject: Re: dvorak Date: Tue, 8 May 2018 09:30:44 -0700 Message-ID: References: <8736z35h6b.fsf@santanas.co.za> <87po26puph.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000000ce56c056bb450dc" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53909) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fG5W8-0001fF-2Q for help-guix@gnu.org; Tue, 08 May 2018 12:31:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fG5W6-0002v2-8G for help-guix@gnu.org; Tue, 08 May 2018 12:31:07 -0400 Received: from mail-qt0-x22f.google.com ([2607:f8b0:400d:c0d::22f]:42545) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fG5W6-0002tP-3D for help-guix@gnu.org; Tue, 08 May 2018 12:31:06 -0400 Received: by mail-qt0-x22f.google.com with SMTP id c2-v6so41792599qtn.9 for ; Tue, 08 May 2018 09:31:05 -0700 (PDT) In-Reply-To: <87po26puph.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Chris Marusich Cc: help-guix --0000000000000ce56c056bb450dc Content-Type: text/plain; charset="UTF-8" > > Yes, entering the LUKS volume passphrase twice is normal, though I would > love to hear about ways to improve it. As I understand it, both GRUB > and Linux have to unlock the LUKS volume, and they do not by default > coordinate in any way - that is why you have to enter it two times. I > don't know how to arrange for a password to be entered only once, but I > imagine that it may be possible, with varying degrees of security > depending on the chosen solution. > You can use keyfiles to unlock the root partition. That's what I'm using on my arch setup to only have to type in one passphrase instead of three (GRUB, root, swap). No idea how you would translate this to GuixSD though. 2018-05-07 22:44 GMT-07:00 Chris Marusich : > Divan Santana writes: > > > While talking about luks, is it normal/best practice to have the > > passphrase on start up ask twice? Once for boot vol at grub, and once > > for /root I suppose? > > Yes, entering the LUKS volume passphrase twice is normal, though I would > love to hear about ways to improve it. As I understand it, both GRUB > and Linux have to unlock the LUKS volume, and they do not by default > coordinate in any way - that is why you have to enter it two times. I > don't know how to arrange for a password to be entered only once, but I > imagine that it may be possible, with varying degrees of security > depending on the chosen solution. > > -- > Chris > -- s/Fred[re]+i[ck]+/Fredrik/g --0000000000000ce56c056bb450dc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yes, ent= ering the LUKS volume passphrase twice is normal, though I would
love to hear about ways to improve it.=C2=A0 As I understand it, both GRUB<= br> and Linux have to unlock the LUKS volume, and they do not by default
coordinate in any way - that is why you have to enter it two times.=C2=A0 I=
don't know how to arrange for a password to be entered only once, but I=
imagine that it may be possible, with varying degrees of security
depending on the chosen solution.

You c= an use keyfiles to unlock the root pa= rtition. That's what
I'm using on my arch setup to only have= to type in one passphrase
instead of three (GRUB, root, swap). No idea = how you would
translate this to GuixSD though.

2018-05-07 22:44 GMT-07:00= Chris Marusich <cmmarusich@gmail.com>:
Divan Santana <divan@santanas.co.za> writes:

> While talking about luks, is it normal/best practice to have the
> passphrase on start up ask twice?=C2=A0 Once for boot vol at grub, and= once
> for /root I suppose?

Yes, entering the LUKS volume passphrase twice is normal, though I w= ould
love to hear about ways to improve it.=C2=A0 As I understand it, both GRUB<= br> and Linux have to unlock the LUKS volume, and they do not by default
coordinate in any way - that is why you have to enter it two times.=C2=A0 I=
don't know how to arrange for a password to be entered only once, but I=
imagine that it may be possible, with varying degrees of security
depending on the chosen solution.

--
Chris



--
s= /Fred[re]+i[ck]+/Fredrik/g
--0000000000000ce56c056bb450dc--