Hi Tomas,
Tomas Volf <[email protected]> writes: > Mathieu Othacehe <[email protected]> writes: > > >> Two alternatives come to my mind: >> >> 1. Make sure that all the kernels/initramfs of the live generations have >> a copy in /boot. > > My understanding is that you need to enter the password twice due to: > > 1. GRUB needs to access its configuration <-- Password #1 This is not accurate. That's just one part, the configuration. But apart from the GRUB's configuration you also need the kernel and initrd so that GRUB can actually boot into the system. Even if /boot is on an unencrypted partition right now, you still need to type this password. You need both /gnu/store and /boot on an unencrypted partition to not have to type it. > 2. GRUB shows the menu and starts the boot process > 3. The initrd is loaded > 4. The initrd needs to pivot to the real root <-- Password #2 > > So I admit I am unsure what having a copy directly in /boot solves. It solves the situation where /boot is unencrypted, but /gnu/store is encrypted. In this case, you will not need to unlock the partition with /gnu/store when you copy the kernel and initrd over. It's for example what NixOS is doing. > GRUB already has access to /gnu/store after you unlock the root for the > first time. > Rutherther
