Hilton Chain <hako@ultrarare.space> writes:
>> Not really sure how I'm booting then. I see '# PBKDF argon2id, ...' in >> the output of `sudo cryptsetup status --debug myrootvolname`. > > Which GRUB variant are you using? There exists an unlikely to be merged patch > series for Argon2 support. I'm using `grub-efi-bootloader` in Guix System. GRUB version 2.12. I haven't explicitly configured a patched variant, nor do I have any memory of ever using one. >> If I understand correctly, the main issue here is that the initrd >> doesn't know how to mount encrypted partitions. There are solutions to >> this other than UKIs, such as Arch's mkinitcpio: >> https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio > > Our initrd knows how to decrypt. It's GRUB that needs to decrypt then find > its > configuration and kernel + initrd first. Right, I got confused back there. So the main issue is GRUB needing to decrypt in the first place, which wouldn't happen if we could have the kernel+initramfs on a separate unencrypted partition, like I mentioned in my other message.
