04.06.2016 20:31, B. S. пишет: >>> >>> Yeah, when it comes to FDE, you either have to make your peace with >>> trusting the manufacturer, or you can't. If you are going to boot >>> your system with a traditional boot loader, an unencrypted partition >>> is mandatory. >> >> No, it is not with grub2 that supports LUKS (and geli in *BSD world). Of >> course initial grub image must be written outside of encrypted area and >> readable by firmware. > > Good to know. Do you have a link to a how to on such? >
As long as you use grub-install and grub-mkconfig this "just works" in the sense they both detect encrypted container and add necessary drivers and other steps to access it. The only manual setup is to add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub. You will need to enter LUKS password twice - once in GRUB, once in kernel (there is no interface for passing passphrase from bootloader to Linux kernel). Some suggest including passphrase in initrd (on assumption that it is encrypted anyway already); there are patches to support use of external keyfile in grub as well. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html