[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypted root partition

From: Chris Marusich
Subject: Re: Encrypted root partition
Date: Wed, 18 Jan 2017 03:38:57 -0800
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Chris Marusich <address@hidden> writes:

> address@hidden (Ludovic Courtès) writes:
>> Chris Marusich <address@hidden> skribis:
>>> Is anyone actively working on documenting the new encrypted root stuff?
>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>> it up on my laptop, anyway.
>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>> Please send a patch if you think of improvements that can be made.
> I'm happy to report that I was successful in setting up an encrypted
> root file system on my Libreboot laptop.  I have to enter the passphrase
> twice, but that's no different from the normal case (without Libreboot).
> It took me multiple days to get it working, though, because each time I
> tried to run "guix system init", it took over 8 hours to finish!
> This is really good!  Thank you for adding this feature.

As a bonus, I realized that one could use this feature to encrypt swap,
also.  You can encrypt your swap area by using a swap file in the root
file system.  Specifically, if you do something like this...

 # Make the file readable/writable only by root.
 sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
 sudo chmod 600 /swapfile
 sudo mkswap --label swap /swapfile

and then you add a single line to your operating system configuration
file like this...

 (swap-devices '("/swapfile"))

then your swap file will be automatically mounted during boot.  You
don't even have to enter your LUKS passphrase an additional time.  I was
pleasantly surprised to find out that encrypted swap was this easy!


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]