Is embedding the keyfile in initrd not an option for full-disk encryption to avoid
entering the password twice?
I also remember reading that LUKS2 in GRUB  should help with the double password entry,
too, but maybe I remember incorrectly, because I cannot find the information now.
From: Axel Braun <axel.braun(a)gmx.de>
Sent: Wednesday, March 18, 2020 10:00 AM
Subject: Re: [opensuse-factory] Will openSUSE adopt systemd-homed?
Am Mittwoch, 18. März 2020, 09:31:01 CET schrieb Ludwig Nussel:
Am 17.03.20 um 20:57 schrieb Axel Braun:
I never got why to encrypt just disk when there are bunch of data leaking
is a good reason
You can put /boot back on a separate partition. That way you still
have everything except kernel and initrd encrypted so accidental
data leak via tmp or swap is still prevented. There was a decision in
an unfortunately private SLE feature request some years ago
) to ignore the inconveniences of /boot
on / in favor of working snapshots unfortunately.
As Neil Rickert pointed out in between in the above bugreport, /boot on a
separate (unencrypted) partition is not recommended together with btrfs.
So looks like one can have an encrypted root partition AND btrfs AND 20s get-
the-coffee time on each boot, or separate /boot, encrypted root w/o btrfs (and
roolback) and a quick boot time.
Considering the fact that booting happens only every couple of days this might
still be acceptable
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org