Closed TommyTran732 closed 3 years ago
The reason for me using LUKS1 is because the following version (LUKS2) seems not to be compatible with GRUB (I recall having read something like that on the Arch Wiki).
The reason for me using LUKS1 is because the following version (LUKS2) seems not to be compatible with GRUB (I recall having read something like that on the Arch Wiki).
GRUB is only not compatible with with LUKS2 when it /boot is also encrypted. If the kernel and initramfs (like how your system is setup right now) are unecrypted, then it's the kernel doing the decryption, not GRUB.
In fact, GRUB_ENABLE_CRYPTODISK=y is only needed when /boot is encrypted.
For my own setup, I keep LUKS1, but I move /boot to a @boot subvolume. The ESP partition is mounted as /boot/efi, and the only thing it contains is /boot/efi/EFI/GRUB/grubx64.efi.
I opted in for this setup because
That being said, the downside of using encrypted /boot is that if you fail to type the password once, you must reboot.
If you want to keep the current partition layout, it is cool as well, but it would make more sense to use LUKS2 and remove the GRUB_ENABLE_CRYPTODISK=y setting.
Moved to encrypted /boot.
As it stands right now, we seem to be using LUKS1 for no apparent reason. I think we should consider 1 of the following: