Hello all. I've added both LUKS and GELI (except version-0, big-endian volumes, keyfiles and HMAC) to my luks branch
> I've cleaned the patch (took a lot of time), not because I believe it's > a useful feature but since it has become an often requested one. > The branch is available at > http://bzr.savannah.gnu.org/r/grub/branches/luks/ . > You need to set GRUB_LUKS_ENABLE=y. Beware that: It was renamed to GRUB_CRYPTODISK_ENABLE=y > a) Crypto in GRUB is much less performant than in kernel due to > inavailability of many accelerated instructions. So prepare for key > recovery taking considerable time or decrease key strengthening. > b) You'll need to enter passphrase twice. Once for GRUB, once for OS. > c) Encrypting doesn't guarantee integrity. Your /boot can be tempered > with even if it's encrypted and GRUB has no way of finding it out. > Encryption is about secrecy and /boot doesn't contain anything secret. > d) core is unencrypted (since BIOS has no encryption support) > e) core needs a much bigger embedding zone > f) no writing to luks as of now. > But even regardless of all that criticism which puts this as > low-priority, I'm fed up with feature requests and since unless it's > activated manually LUKS in GRUB doesn't kick in, I've done the cleanup. > Now you do the tests and report the results back > -- Regards Vladimir 'φ-coder/phcoder' Serbinenko
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
