- /dev/sda /dev/sda1: A tiny LUKS partition that's filled with the content of a keyfile without any filesystem format. /dev/sda2: /boot for grub. It also serves as FAT32 EFI partition.
- /dev/sdb /dev/sdb1: /gnu/store on btrfs raid1 /dev/sdb2: / on btrfs raid1 on LUKS - /dev/sdc /dev/sdc1: /gnu/store on btrfs raid1 /dev/sdc2: / on btrfs raid1 on LUKS Open /dev/sda1 as a luke device, /dev/mapper/key, with one password. It contains a keyfile without any filesystem format. Use /dev/mapper/key as a keyfile for all other LUKS devices in mapped devices. This exposes /gnu/store, but /gnu/store is not supposed to have any sensitive data. This obviously makes it practically impossible to detect physical tempering of data, but if you store it at a secure location, you don't have to worry too much about evil maid attack. RAID1 for physically secure servers is enough to ensure some availability when a disk fails. For laptops that you carry, you are not going to use btrfs raid1, and you can just have unencrypted /boot on fat32 and / on btrfs on luks. extra-initrd contains a keyfile for / so that I don't have to type the password twice. A desktop computer doesn't require server-level availability, but people who have money can still put root on encrypted btrfs raid1. Perhaps, can this be documented in the cook book?