Chris Marusich <cmmarus...@gmail.com> skribis: > Chris Marusich <cmmarus...@gmail.com> writes: > >> l...@gnu.org (Ludovic Courtès) writes: >> >>> Chris Marusich <cmmarus...@gmail.com> skribis: >>> >>>> Is anyone actively working on documenting the new encrypted root stuff? >>>> If not, I'm happy to try my hand at it. I'm interested in trying to set >>>> it up on my laptop, anyway. >>> >>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72. >>> >>> Please send a patch if you think of improvements that can be made. >> >> I'm happy to report that I was successful in setting up an encrypted >> root file system on my Libreboot laptop. I have to enter the passphrase >> twice, but that's no different from the normal case (without Libreboot). >> It took me multiple days to get it working, though, because each time I >> tried to run "guix system init", it took over 8 hours to finish! >> >> This is really good! Thank you for adding this feature. > > As a bonus, I realized that one could use this feature to encrypt swap, > also. You can encrypt your swap area by using a swap file in the root > file system. Specifically, if you do something like this... > > # Make the file readable/writable only by root. > sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240 > sudo chmod 600 /swapfile > sudo mkswap --label swap /swapfile > > and then you add a single line to your operating system configuration > file like this... > > (swap-devices '("/swapfile"))
You may even be able to use /dev/mapper/something-encrypted here, albeit with an additional passphrase prompt. Ludo’.