On Fri, Feb 06, 2026 at 07:53:38AM -0500, Christine Lemmer-Webber wrote: > - It's painful with full disk encryption even then, because you have to > type your passphrase twice. And the first time you type it you're > stuck waiting for what feels like ages to find out if you entered it > right or not, and if you haven't, you have to start all over. And if > you have, you have to enter it *again*, with a "three strikes till a > rescue REPL" situation, which if you hit that it's the absolute worst > because then you have to start all over again.
I actually have a kinda silly setup for that. My partitions consist of an unencrypted FAT32 /boot partition and the encrypted main btrfs / partition. I have a Python script[1] that finds all system profiles and parses the grub.cfg to find all files needed to boot, patches the grub.cfg to remove the stuff that tries to decrypt the second partition and finally builds a single EFI executable that contains all files with no references outside using grub-mkstandalone and then finally signs that file using sbctl with my secure boot keys. The script can also optionally wrap each entry to use Xen. I found out that my firmware doesn't load the file if it's too big so I have to clean out old revisions sometimes. It would be nice if guix could somehow natively generate that standalone executable so you could then manually sign it but my Python script will have to suffice for now. [1]: https://github.com/laura240406/guix-system/blob/master/scripts/copy_kernel.py
