/boot and encrypted partitions?
inode0
inode0 at gmail.com
Fri Jul 31 19:02:55 UTC 2015
On Fri, Jul 31, 2015 at 11:18 AM, Gordon Messmer
<gordon.messmer at gmail.com> wrote:
> On 07/31/2015 08:28 AM, Dave Johansen wrote:
>>
>> I was luck enough to be bitten by this issue (
>> https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do
>> a clean install of F22.
>
>
> That bug looks like it's triggered only when the LVs are encrypted, which is
> non-standard and not at all optimal. The default and optimal configuration
> is to encrypt the disk partition, and to use that LUKS container as a PV.
>
>> I copied all of my data off and then tried manually setting things up as
>> separate partitions (instead of in an LVM) but it kept telling me that /boot
>> couldn't be on a LUKS partition.
>
>
> That's correct, it cannot. UEFI and BIOS both need an un-encrypted /boot to
> read the kernel and initrd. If those are in an encrypted container, the
> boot loader is incapable of reading the kernel and initrd into memory.
/boot can be on an encrypted partition. I've been looking at this
lately and decided to try to do it after seeing this thread today.
Anaconda won't help you do it though, so you need to install initially
with it unencrypted but you can encrypt it post-install. Now I have an
F22 box with a single disk with all partitions encrypted. Fedora seems
perfectly happy with this. I still have a concern that there might be
a case where an update needs to mount or remount /boot and won't be
able to, but one could store the password for /boot in a file and
point crypttab to it I believe to overcome that if it is necessary.
John
More information about the users
mailing list