[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFT] LUKS and GELI (was Re: Luks inclusion)

From: Vladimir 'φ-coder/phcoder' Serbinenko
Subject: [RFT] LUKS and GELI (was Re: Luks inclusion)
Date: Mon, 25 Apr 2011 15:21:27 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20110402 Iceowl/1.0b2 Icedove/3.1.9

Hello all. I've added both LUKS and GELI (except version-0, big-endian
volumes, keyfiles and HMAC) to my luks branch

> I've cleaned the patch (took a lot of time), not because I believe it's
> a useful feature but since it has become an often requested one.
> The branch is available at
> .
> You need to set GRUB_LUKS_ENABLE=y. Beware that:
It was renamed to GRUB_CRYPTODISK_ENABLE=y
> a) Crypto in GRUB is much less performant than in kernel due to
> inavailability of many accelerated instructions. So prepare for key
> recovery taking considerable time or decrease key strengthening.
> b) You'll need to enter passphrase twice. Once for GRUB, once for OS.
> c) Encrypting doesn't guarantee integrity. Your /boot can be tempered
> with even if it's encrypted and GRUB has no way of finding it out.
> Encryption is about secrecy and /boot doesn't contain anything secret.
> d) core is unencrypted (since BIOS has no encryption support)
> e) core needs a much bigger embedding zone
> f) no writing to luks as of now.
> But even regardless of all that criticism which puts this as
> low-priority, I'm fed up with feature requests and since unless it's
> activated manually LUKS in GRUB doesn't kick in, I've done the cleanup.
> Now you do the tests and report the results back

Vladimir 'φ-coder/phcoder' Serbinenko

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]