feat: LUKS2 for boot pool

Question

feat: LUKS2 for boot pool

ne9z opened this issue 3 years ago · 3 comments

I have now submitted a PR for LUKS2 boot pool encryption at here, albeit PBKDF2-only.

There are two changes:

Use --type luks2, but for the passphrase slot, which is handled by GRUB, use --pbkdf pbkdf2.
GRUB still has trouble adding appropriate menu entries for decryption, this part is handled manually via a snippet in /etc/grub.d/.

tee -a /etc/grub.d/09_bpool_luks2-decryption <<FOE
     cat <<EOF
       insmod luks2
       insmod pbkdf2
       insmod part_gpt
       insmod gcry_rijndael
       insmod gcry_sha256
       insmod cryptodisk
       cryptomount hd0,gpt2
     EOF
FOE

chmod +x /etc/grub.d/09_bpool_luks2-decryption

This snippet let GRUB load relevant modules and decrypts the hard-coded second partition.

Answer 1 · 2021-12-12T04:33:36.000Z

@ne9z This is excellent news, thank you so much. Managed to incorporate it in 5168dc3

Answer 2 · 2022-01-12T22:15:01.000Z

I just tried this using the current ISO and received a "no such device" error on startup with GRUB. Switching to the old LUKS1 instructions resulted in a good install, so I think an additional package or config item my be needed to get this to work.

Answer 3 · 2022-01-13T18:51:18.000Z

Ah, I think I might have seen this myself recently--I was installing on a physical machine so I may have pushed through rather than fix it as I couldn't easily "redo" the install. I'll run this in the next day or so to remind myself if I made a local fix or something else to get past.