[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#621788: Please support encryption without separate /boot, with encryption support in current GRUB2

> Current GRUB2 supports directly reading encrypted partitions via
> dm-crypt and LUKS.  This allows setting up an encrypted disk without a
> separate unencrypted /boot partition.  Please consider supporting this
> configuration in debian-installer.

Grub currently doesn't support LUKS2 very well.
For example, PBKDF2 has to be used instead of Argon2 for key derivation.
The Debian Installer currently doesn't allow changing this.

Even worse, I haven't had any success at creating a LUKS2 volume that
grub-efi-amd64-signed recognizes.

Additionally, partman doesn't recognize LUKS1 partitions well and cannot
create any either. This makes it much harder to install Debian on a
LUKS1 volume.

Please add support for this scenario, as the additional unencrypted
/boot partition is unnecessary on UEFI systems and increases the attack
surface of encrypted disks.

Reply to: