Skip to content

Commit 01bd104

Browse files
Leo3418Leo3418
committed
gentoo-config-luks2-grub-systemd: Expand notes on tuning key slots
1 parent bfc8114 commit 01bd104

1 file changed

Lines changed: 18 additions & 8 deletions

File tree

content/en/collections/gentoo-config-luks2-grub-systemd/setup-process/tune-parameters.md

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -177,14 +177,24 @@ earliest to the latest. So, if the passphrase key slot's modification time is
177177
the earliest, GRUB 2.14 will be able to attempt it first; otherwise, GRUB 2.14
178178
would waste time trying the incorrect key slot.
179179

180-
Even though achieving a faster unlock speed in GRUB does not require tuning
181-
down the parameters of the key slot for the key file since this key slot is not
182-
intended for GRUB at all, keeping its parameters in sync with the passphrase
183-
key slot does not worsen the LUKS partition's security and may even expedite
184-
systemd's automatic unlock. After all, as long as the key file has been
185-
properly created and secured, its corresponding key slot is more secure than
186-
the passphrase key slot when all parameters are identical since a key file
187-
cannot be guessed, brute-forced or phished as easily as a passphrase.
180+
Keeping both key slots' parameters in sync also allows GRUB to re-prompt for
181+
the passphrase faster when the user has entered a wrong passphrase. If only
182+
the passphrase key slot is tuned down but the key file's key slot is not, GRUB
183+
will unlock the LUKS partition quickly when the entered passphrase is correct,
184+
but when the passphrase is incorrect, it will still need to spend about half a
185+
minute trying to unlock it before eventually failing and re-prompting for the
186+
correct passphrase. With an incorrect passphrase, because there is another key
187+
slot to try (the one for the key file), GRUB will attempt to unlock it using
188+
the entered passphrase too; if this key slot's parameters are too challenging
189+
for GRUB, GRUB will still have to waste about half a minute just trying to
190+
unlock it.
191+
192+
In addition, for the key file's key slot, keeping its parameters in sync with
193+
the passphrase key slot does not worsen the LUKS partition's security and also
194+
expedites systemd's automatic unlock. After all, as long as the key file has
195+
been properly created and secured, its corresponding key slot is more secure
196+
than the passphrase key slot when all parameters are identical since a key file
197+
cannot be guessed, brute-forced or phished as easily as a passphrase can be.
188198

189199
To test the new unlock speed in GRUB, reboot the system and observe how long
190200
GRUB takes to unlock the LUKS partition after the passphrase is supplied. If

0 commit comments

Comments
 (0)