[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#38924: Encrypted root volume requires passphrase twice on boot
From: |
Tobias Geerinckx-Rice |
Subject: |
bug#38924: Encrypted root volume requires passphrase twice on boot |
Date: |
Sat, 04 Jan 2020 20:56:44 +0100 |
Matthew,
Matthew Leach 写道:
I've setup guix on two machines each one of them with an
encrypted root
partition. However, on boot I'm prompted for my passphrase
twice, once
before the grub menu is shown and second after Linux has started
and
launched guile as init.
Unfortunately, this is expected.
GRUB needs to decrypt the volume to load the Linux-Libre kernel
and initrd, and there's no agreed-upon secure way for GRUB to pass
the passphrase or key to the kernel/initrd. So you're prompted
for it again when the volume is actually mounted by the kernel.
I would expect to have to only enter my passphrase once per
boot.
Most distributions hack around this limitation by including the
unencrypted LUKS key in the initrd on the encrypted volume itself.
Guix doesn't currently have any code to do the same.
This has been a problem for years but, by sheer coincidence, Jakub
Kądziołka (CC'd) mentioned that this was on their to-do list for
next week.
Kind regards,
T G-R
signature.asc
Description: PGP signature