Message ID | 20211030161237.28298-2-dev@jpoiret.xyz |
---|---|
State | Accepted |
Headers | show |
Series | Add support for LUKS2 root partition | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
Hello! I haven’t tested it, but the patches LGTM. Nitpick: Josselin Poiret <dev@jpoiret.xyz> skribis: > * doc/guix.texi (Keyboard Layout, Networking, and Partitioning)[Disk > Partitioning]: Document it. […] > +@quotation Warning > +Note that Grub can unlock LUKS2 devices since version 2.06, but only s/Grub/GRUB/ :-) > +supports the PBKDF2 key derivation function, which is not the default > +for Cryptsetup on Guix. You can check which key derivation function is > +being used by a device by running @command{cryptsetup luksDump <dev>}, @var{device} rather than <dev>. > +and looking for the PBKDF field of your keyslots. Should we change “which is not the default for Cryptsetup on Guix” to “but @command{cryptsetup luksFormat} does not use PBKDF2 by default”? > +@end quotation > + > +Assuming you want to store the root partition on @file{/dev/sda2}, the > +command sequence would be along these lines: ^ + “to format it as a LUKS2 partition” Could you send an updated version of this patch? Besides, do you think we should change the installer to create LUKS2 partitions now in (gnu installer parted)? Thanks! Ludo’.
Hello Josselin, Josselin Poiret <dev@jpoiret.xyz> skribis: > Here is an updated patchset, which includes the changes you suggested, > as well as update the installer to use LUKS2 by default (I tested it > in a VM and it works pretty well). I don't think there's any reason > not to use LUKS2 by default now that GRUB 2.06 supports it, and in any > case if there are specific needs they can be addressed by a manual > installation. > > Best, > > Josselin Poiret (3): > gnu: system: Add LUKS2 support for the root file system. > doc: Document LUKS2 GRUB support and shortcomings > installer: Make LUKS2 the default format for encrypted devices Applied it all after checking: make check-system TESTS=encrypted-root-os Thank you! Ludo’.
diff --git a/doc/guix.texi b/doc/guix.texi index 22215214e0..4420f67050 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -2492,13 +2492,22 @@ mkfs.ext4 -L my-root /dev/sda2 If you are instead planning to encrypt the root partition, you can use the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html, @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}}, -@code{man cryptsetup}} for more information). Assuming you want to -store the root partition on @file{/dev/sda2}, the command sequence would -be along these lines: +@code{man cryptsetup}} for more information). + +@quotation Warning +Note that Grub can unlock LUKS2 devices since version 2.06, but only +supports the PBKDF2 key derivation function, which is not the default +for Cryptsetup on Guix. You can check which key derivation function is +being used by a device by running @command{cryptsetup luksDump <dev>}, +and looking for the PBKDF field of your keyslots. +@end quotation + +Assuming you want to store the root partition on @file{/dev/sda2}, the +command sequence would be along these lines: @example -cryptsetup luksFormat /dev/sda2 -cryptsetup open --type luks /dev/sda2 my-partition +cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 +cryptsetup open /dev/sda2 my-partition mkfs.ext4 -L my-root /dev/mapper/my-partition @end example