Mathieu Othacehe <[email protected]> writes: > Hello, > >> Christine Lemmer-Webber <[email protected]> writes: >> >>> - It's painful with full disk encryption even then, because you have to >>> type your passphrase twice. >> >> This is not the case for quite some time now. Sure, it requires some >> configuration, but it can be done. For all my machines I am typing my >> passphrase just once. Sure, it is the first one, so it takes *long* >> time, though since it is just one passphrase, I usually just make a >> coffee or something while waiting. > > I just performed a Guix System 1.5.0 installation with full-disk > encryption in a VM. On the installed system, the password needs to be > typed twice: in GRUB and in the initramfs.
I suppose no one adjusted the installer. > Maybe for the next release, we should aim for an installer that creates > a configuration where only one password input is necessary. The > extra-initrd proposal feels a bit hacky to be the one proposed by the > installer. As original author of the extra-initrd approach I am obviously somewhat biased, but it seems... fine? It is based on the recommendations from the Archlinux wiki, adjusted for our needs. > Two alternatives come to my mind: > > 1. Make sure that all the kernels/initramfs of the live generations have > a copy in /boot. My understanding is that you need to enter the password twice due to: 1. GRUB needs to access its configuration <-- Password #1 2. GRUB shows the menu and starts the boot process 3. The initrd is loaded 4. The initrd needs to pivot to the real root <-- Password #2 So I admit I am unsure what having a copy directly in /boot solves. GRUB already has access to /gnu/store after you unlock the root for the first time. > 2. Have the store in a dedicated, unencrypted partition. This seems unwise. The files in the store are not authenticated in any way, so I would prefer having them encrypted. > Any other alternatives :) ? Not really :) -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
