GNU bug report logs - #55723
Full disk encryption with grub-efi and LUKS2

Previous Next

Full log

View this message in rfc822 format

From: Giovanni Biscuolo <g <at> xelera.eu>
To: Josselin Poiret <dev <at> jpoiret.xyz>, Lars-Dominik Braun <lars <at> 6xq.net>, 55723 <at> debbugs.gnu.org
Subject: bug#55723: Full disk encryption with grub-efi and LUKS2
Date: Thu, 02 Jun 2022 15:44:26 +0200

[Message part 1 (text/plain, inline)]

Hello Josselin and Lars-Dominik

Josselin Poiret via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

[...]

>> Supposedly there are also patches for grub-mkimage, but maybe we can
>> include a workaround like the above by default until then or remove the
>> section about LUKS2 entirely?
>
> Thank you for posting this bug and sorry for taking so long with this.
> I'd suggest that we instead add a warning that `/boot/` must be
> unencrypted for LUKS2+GRUB to work for now, possibly pointing to this
> bug.

As Josselin wrote in the proposed patch, actually /boot/ on LUKS1 is
working well

In case it is helpful, it's possible to "Downgrade" a LUKS2 volume to
LUKS1, I found this guide useful:
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

[...]

> to include.  My approach at [1] is to ask device-mapper directly, but
> there are also other patches trying various other methods, and the
> consensus now seems to be that each patch does one thing well and that
> we should combine all of the good parts.

Thank you very much for the update and the work on GRUB!

Please is there any upstream (GRUB) bug report we can point to in this
one so we can follow the situation and know when upsstream will release
the patch?

[...]

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.