[RFT] LUKS and GELI (was Re: Luks inclusion)

["Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1416 bytes --]

Hello all. I've added both LUKS and GELI (except version-0, big-endian
volumes, keyfiles and HMAC) to my luks branch

> I've cleaned the patch (took a lot of time), not because I believe it's
> a useful feature but since it has become an often requested one.
> The branch is available at
> http://bzr.savannah.gnu.org/r/grub/branches/luks/ .
> You need to set GRUB_LUKS_ENABLE=y. Beware that:
It was renamed to GRUB_CRYPTODISK_ENABLE=y
> a) Crypto in GRUB is much less performant than in kernel due to
> inavailability of many accelerated instructions. So prepare for key
> recovery taking considerable time or decrease key strengthening.
> b) You'll need to enter passphrase twice. Once for GRUB, once for OS.
> c) Encrypting doesn't guarantee integrity. Your /boot can be tempered
> with even if it's encrypted and GRUB has no way of finding it out.
> Encryption is about secrecy and /boot doesn't contain anything secret.
> d) core is unencrypted (since BIOS has no encryption support)
> e) core needs a much bigger embedding zone
> f) no writing to luks as of now.
> But even regardless of all that criticism which puts this as
> low-priority, I'm fed up with feature requests and since unless it's
> activated manually LUKS in GRUB doesn't kick in, I've done the cleanup.
> Now you do the tests and report the results back
>


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]