GNU bug report logs - #25305
LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0

Previous Next

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Eddie Baxter <pieceredd <at> gmail.com>
Cc: 25305 <at> debbugs.gnu.org, help-guix <at> gnu.org
Subject: bug#25305: LUKS-encrypted root and unencrypted /boot with GuixSD 0.12.0
Date: Sat, 31 Dec 2016 00:52:04 +0100

Hello!

Eddie Baxter <pieceredd <at> gmail.com> skribis:

> I have attempted to install GuixSD on an encrypted root using LUKS, after
> reading the release notes for 0.12.0 that implies this should now work - My
> config.scm is linked:
>
> https://gist.github.com/AcouBass/3a1a6ab28c17830a175dc7da95eb18cd
>
> I don't get any errors on installation, nor upon doing a system
> reconfigure.
>
> At the moment I am still having to drop to a command prompt in Grub and use
> the commands:
>
>   insmod luks
>   cryptomount hd0,msdos2

The config has an unencrypted /boot and an encrypted root.  What’s
tested and known-good is a configuration with an encrypted root that
contains /boot, like the one here:

  https://www.gnu.org/software/guix/manual/html_node/Using-the-Configuration-System.html#index-encrypted-disk-1

It may be that this configuration is not correctly supported yet.

I’m Cc’ing bug-guix <at> gnu.org so we keep track of this issue.

> Which while it does work does mean I'm entering my passphrase twice
> (As well as having to drop to the Grub command line!)

The passphrase-twice issue seems hard to avoid: first GRUB needs to
access the partition, and then the kernel needs to access it.

If anyone is aware of ways to solve this, I’m all ears!

Thanks for your report!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.