Bug#621788: Please support encryption without separate /boot, with encryption support in current GRUB2

To: 621788@bugs.debian.org
Subject: Bug#621788: Please support encryption without separate /boot, with encryption support in current GRUB2
From: Gregor Riepl <onitake@gmail.com>
Date: Sat, 9 Oct 2021 12:35:04 +0200
Message-id: <[🔎] e52cdd91-6249-5761-5c76-5c8362290d9a@gmail.com>
Reply-to: Gregor Riepl <onitake@gmail.com>, 621788@bugs.debian.org
In-reply-to: <20110408214437.5444.4113.reportbug@feather>
References: <20110408214437.5444.4113.reportbug@feather> <20110408214437.5444.4113.reportbug@feather> <20110408214437.5444.4113.reportbug@feather>

> Current GRUB2 supports directly reading encrypted partitions via
> dm-crypt and LUKS.  This allows setting up an encrypted disk without a
> separate unencrypted /boot partition.  Please consider supporting this
> configuration in debian-installer.

Grub currently doesn't support LUKS2 very well.
For example, PBKDF2 has to be used instead of Argon2 for key derivation.
The Debian Installer currently doesn't allow changing this.

Even worse, I haven't had any success at creating a LUKS2 volume that
grub-efi-amd64-signed recognizes.

Additionally, partman doesn't recognize LUKS1 partitions well and cannot
create any either. This makes it much harder to install Debian on a
LUKS1 volume.

Please add support for this scenario, as the additional unencrypted
/boot partition is unnecessary on UEFI systems and increases the attack
surface of encrypted disks.

Reply to:

Prev by Date: Bug#604839: Bug#988472: Bug#604839: [installation-guide] Planned overhaul of chapter 4.3 "Preparing Files for USB Memory Stick Booting"
Next by Date: Bug#604839: [installation-guide] Planned overhaul of chapter 4.3 "Preparing Files for USB Memory Stick Booting"
Previous by thread: Últimos 3 Lugares
Next by thread: Bug#996019: debootstrap: bootstrap of ubuntu impish is failing
Index(es):
- Date
- Thread