[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LUKS-encrypted root and unencrypted /boot ?

From: Chris Marusich
Subject: Re: LUKS-encrypted root and unencrypted /boot ?
Date: Thu, 02 Aug 2018 01:24:31 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)

Benjamin Slade <address@hidden> writes:

> Doing a full LUKS-encryption on root, including /boot results in very
> slow unlocking at boot (about 30 secs even with --iter set to 1000). Is
> there any way to do an unencrypted /boot with an encrypted root?

At that stage, is it GRUB that is unlocking the encrypted volume?  If
so, I think this is normal.

I don't know much about the details, but it seems GRUB's implementation
of the LUKS-related cryptographic algorithms is significantly slower
than the one used by Linux later in the boot process.  Because you (I
presume) created the LUKS key using cryptsetup from within a running
GNU/Linux system, it probably ran the PBKDF2 algorithm for a short
period of time using the more performant algorithms, and in order for
GRUB to perform the same number of iterations, it takes longer.

For what it's worth, GRUB is slow in unlocking my encrypted volumes,
too.  It takes about 30 seconds for me, too.  If you're concerned, you
can try using cryptsetup's --iter-time option to lower the number of
iterations, but keep in mind that will also make it easier to crack your

Hope that helps!


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]