Chris Marusich <cmmarus...@gmail.com> skribis:
> Chris Marusich <cmmarus...@gmail.com> writes:
>
>> l...@gnu.org (Ludovic Courtès) writes:
>>
>>> Chris Marusich <cmmarus...@gmail.com> skribis:
>>>
>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>> If not, I'm happy to try my hand at it. I'm interested in trying to set
>>>> it up on my laptop, anyway.
>>>
>>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>>
>>> Please send a patch if you think of improvements that can be made.
>>
>> I'm happy to report that I was successful in setting up an encrypted
>> root file system on my Libreboot laptop. I have to enter the passphrase
>> twice, but that's no different from the normal case (without Libreboot).
>> It took me multiple days to get it working, though, because each time I
>> tried to run "guix system init", it took over 8 hours to finish!
>>
>> This is really good! Thank you for adding this feature.
>
> As a bonus, I realized that one could use this feature to encrypt swap,
> also. You can encrypt your swap area by using a swap file in the root
> file system. Specifically, if you do something like this...
>
> # Make the file readable/writable only by root.
> sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
> sudo chmod 600 /swapfile
> sudo mkswap --label swap /swapfile
>
> and then you add a single line to your operating system configuration
> file like this...
>
> (swap-devices '("/swapfile"))
You may even be able to use /dev/mapper/something-encrypted here, albeit
with an additional passphrase prompt.
Ludo’.
