21 broke encrypted swap by mishandling the removal of crypto_keyfile.bin. This reverts the original fix. Instead, we leave BIOS the same; that was secure as it was before. But we make sure to never enroll or even generate crypto_keyfile.bin when booting with UEFI. To ensure the user is only prompted once, we instead rely on initrd to reuse the passphras for every LUKS device.
NOTE: This is likely not a completely sufficient solution for users who choose manual partitioning. Mainly, if they create an unencrypted root partition with BIOS boot, it will still insecurely use crypto_keyfile.bin for other partitions that are encrypted. And if different passphrases are used for different partitions in UEFI, the user will be prompted multiple times at boot.
Fixes #24.
21 broke encrypted swap by mishandling the removal of
crypto_keyfile.bin. This reverts the original fix. Instead, we leave BIOS the same; that was secure as it was before. But we make sure to never enroll or even generatecrypto_keyfile.binwhen booting with UEFI. To ensure the user is only prompted once, we instead rely on initrd to reuse the passphras for every LUKS device.NOTE: This is likely not a completely sufficient solution for users who choose manual partitioning. Mainly, if they create an unencrypted root partition with BIOS boot, it will still insecurely use
crypto_keyfile.binfor other partitions that are encrypted. And if different passphrases are used for different partitions in UEFI, the user will be prompted multiple times at boot./cc @vlinkz @RaitoBezarius