1198583 – Fix full disk encryption

Bug 1198583 - Fix full disk encryption

Summary: Fix full disk encryption

Status:	NEW

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Ludwig Nussel
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:	1198618 1198621 1198684 1198586 1198599 1198681
Blocks:	1165830
	Show dependency tree / graph

Clone This Bug

Reported:	2022-04-19 07:42 UTC by Ludwig Nussel
Modified:	2023-07-25 11:13 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2022-04-19 07:42:29 UTC

Full disk encryption starting from 15 on sucks. Prompting for the passphrase twice is an unacceptable annoyance but also technically the situation is not satisfactory.
Eg relying on grub to unlock the encrypted volume hinders eg adoption of LUKS2 with Argon2 or hardware token support.
So let's find a solution that works better technically and usability wise.

See also
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html

Comment 1 Jan Engelhardt 2023-07-25 11:09:21 UTC

So don't encrypt /boot?
(When replacing grub by a sd-boot that lives just off an EFI partition with no classic ext2 /boot, that's unencrypted anyway.)

Comment 2 Ludwig Nussel 2023-07-25 11:13:29 UTC

No /boot needed at all. ESP only.