Luks inclusion (was Re: GRUB 1.99~rc2 released)

["Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1333 bytes --]

On 21.04.2011 17:29, Craig Sparks wrote:
>
> When is luks going to be added so we can encrypt the boot partition also?
>
I've cleaned the patch (took a lot of time), not because I believe it's
a useful feature but since it has become an often requested one.
The branch is available at
http://bzr.savannah.gnu.org/r/grub/branches/luks/ .
You need to set GRUB_LUKS_ENABLE=y. Beware that:
a) Crypto in GRUB is much less performant than in kernel due to
inavailability of many accelerated instructions. So prepare for key
recovery taking considerable time or decrease key strengthening.
b) You'll need to enter passphrase twice. Once for GRUB, once for OS.
c) Encrypting doesn't guarantee integrity. Your /boot can be tempered
with even if it's encrypted and GRUB has no way of finding it out.
Encryption is about secrecy and /boot doesn't contain anything secret.
d) core is unencrypted (since BIOS has no encryption support)
e) core needs a much bigger embedding zone
f) no writing to luks as of now.
But even regardless of all that criticism which puts this as
low-priority, I'm fed up with feature requests and since unless it's
activated manually LUKS in GRUB doesn't kick in, I've done the cleanup.
Now you do the tests and report the results back

-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]