alt Hacker NewsWhat's the current state of the art on this? Last time I looked it was really not trivial, because of two things:
1) there is only one bootloader (grub2) that can load kernels from encrypted /boot partitions, but the support for that is limited, you have to use a weaker encryption if I remember correctly, AND decryption speed (after entering the luks password) is super slow, because the CPU extensions that speed that up (AES) are not yet online that early in the boot process
2) you can choose to not encrypt /boot, and have it as a separate partition, but now your btrfs snapshots will not include the kernel, so restoring after kernel upgrades is going to break your system
Replies
I am only really familiar with Arch and OpenSUSE, so I don't know how other distros do it, but OpenSUSE keeps the (I believe) latest 5 kernels, so I just have to delete snapshots older than the oldest kernel in my /boot. I like that system so I do the same thing on Arch (but don't tell anyone, otherwise I'm gonna get yelled at).
Check out Arch's wikipedia for plain dm-crypt.