Bug#621788: Please support encryption without separate /boot, with encryption support in current GRUB2
> Current GRUB2 supports directly reading encrypted partitions via
> dm-crypt and LUKS. This allows setting up an encrypted disk without a
> separate unencrypted /boot partition. Please consider supporting this
> configuration in debian-installer.
Grub currently doesn't support LUKS2 very well.
For example, PBKDF2 has to be used instead of Argon2 for key derivation.
The Debian Installer currently doesn't allow changing this.
Even worse, I haven't had any success at creating a LUKS2 volume that
grub-efi-amd64-signed recognizes.
Additionally, partman doesn't recognize LUKS1 partitions well and cannot
create any either. This makes it much harder to install Debian on a
LUKS1 volume.
Please add support for this scenario, as the additional unencrypted
/boot partition is unnecessary on UEFI systems and increases the attack
surface of encrypted disks.
Reply to: