1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-12-22 15:01:34 -05:00

Update README.md

This commit is contained in:
TommyTran732 2021-07-25 11:13:41 +00:00 committed by tommytran732
parent 825c2ce63b
commit f21ac146ba
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -65,4 +65,4 @@ Ideally, I could use GRUB's GPG verification for the initramfs and its configura
As for why LUKS1 is used, GRUB 2.06 does not work nicely with LUKS2 yet. grub-install will not make GRUB auto detect the LUKS2 partition, and GRUB itself does not support Argon2id (cryptsetup default) as of now anyways. In my opinion, it makes little sense to use GRUB with LUKS2 in its current state, thus I am using LUKS1 to avoid the headache for the time being.
You may also see an a keyfile being created by the script and stored at /cryptkey. This is to avoid getting 2 encryption password prompts (one for GRUB to decrypt the disk so that it can get to the kernel, the initramfs and configuration files and one for the kernel itself to start up the rest of the boot process). As the key resides on an encrypted partition (and so does the initramfs that stores a copy of it), security risks should be minimal. The only time an attacker would have access to it is when they have root, at which point you have a much, much more serious proble). The procedure I am using is describe at https://en.opensuse.org/SDB:Encrypted_root_file_system.
You may also see an a keyfile being created by the script and stored at /cryptkey. This is to avoid getting 2 encryption password prompts (one for GRUB to decrypt the disk so that it can get to the kernel, the initramfs and configuration files and one for the kernel itself to start up the rest of the boot process). As the key resides on an encrypted partition (and so does the initramfs that stores a copy of it), security risks should be minimal. The only time an attacker would have access to it is when they have root, at which point you have a much, much more serious problem). The procedure I am using is describe at https://en.opensuse.org/SDB:Encrypted_root_file_system.