[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Encrypted root partition
|
From: |
Chris Marusich |
|
Subject: |
Re: Encrypted root partition |
|
Date: |
Wed, 18 Jan 2017 03:38:57 -0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Chris Marusich <address@hidden> writes:
> address@hidden (Ludovic Courtès) writes:
>
>> Chris Marusich <address@hidden> skribis:
>>
>>> Is anyone actively working on documenting the new encrypted root stuff?
>>> If not, I'm happy to try my hand at it. I'm interested in trying to set
>>> it up on my laptop, anyway.
>>
>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>
>> Please send a patch if you think of improvements that can be made.
>
> I'm happy to report that I was successful in setting up an encrypted
> root file system on my Libreboot laptop. I have to enter the passphrase
> twice, but that's no different from the normal case (without Libreboot).
> It took me multiple days to get it working, though, because each time I
> tried to run "guix system init", it took over 8 hours to finish!
>
> This is really good! Thank you for adding this feature.
As a bonus, I realized that one could use this feature to encrypt swap,
also. You can encrypt your swap area by using a swap file in the root
file system. Specifically, if you do something like this...
# Make the file readable/writable only by root.
sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
sudo chmod 600 /swapfile
sudo mkswap --label swap /swapfile
and then you add a single line to your operating system configuration
file like this...
(swap-devices '("/swapfile"))
then your swap file will be automatically mounted during boot. You
don't even have to enter your LUKS passphrase an additional time. I was
pleasantly surprised to find out that encrypted swap was this easy!
--
Chris
signature.asc
Description: PGP signature