On Mon, Jul 25, 2022 at 08:54:00PM +0900, Olaf Meeuwissen via Dng wrote:
> OK but if / and /boot are encrypted, something has to be able to decrypt
> that before GRUB can read /boot/grub/grub.cfg. It might be that GRUB is
> able to do that itself these days (haven't checked) but on my LibreBoot
> laptop it's the LibreBoot BIOS that does the decrypting, AFAIK.
> Hence, my comment.
I can confirm that grub2 in at least Beowulf and now Chimaera can deal
with decrypting the boot partition if you use LUKS for the encryption:
<
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>
The archwiki has even more scenarios:
<
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system>
> I was thinking/hoping I could make an encrypted LV, without encrypting
> all PVs in the VG. I use a fair number containers and VMs and don't see
> a need to encrypt those. Actually, I don't see much need for putting
> these on RAID1 either :-/
You can in fact do what you describe. Make your LV, but instead of
creating a file system on it, format it as LUKS, unlock it, and create
your file system on /dev/mapper/unlocked_volume.
Greg
--
web site:
http://www.gregn.net
gpg public key:
http://www.gregn.net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
If we haven't been in touch before, e-mail me before adding me to your contacts.
--
Free domains:
http://www.eu.org/ or mail dns-manager@???