Question about LUKS encryption in LMDE7 #165
Description
Hi folks!
I've been playing with Debian Testing (Trixie) in the last few days.
I noticed different encryption operations in different installers:
When I use a classic text-based Debian-Installer, encrypting creates a classic scheme:
- unencrypted
/bootpartition - main
/partition encrypted LUKS2
When I use the Calamares installer after starting the LIVE system, a completely different encryption scheme is created:
- both partitions are encrypted, but only "old" LUKS1
Advantage:
- encrypted
/boot
Disadvantage:
- GRUB password monit is terrible and unattractive
- LUKS1 is less modern than LUKS2 (GRUB2 only supports older version LUKS1)
- lack of ability to manage multiple keys
Since I would like to plan correctly the future implementation of LMDE7 and the management of several dozen machines, I have a question:
Will the LMDE7 installer perform a classic encryption scheme (like LMDE6 for example, meaning unencrypted /boot + LUKS2 for /), or will it encrypt /boot in LUKS1 version like Calamares?
Personally I prefer classic "old" solutions with LUKS2 and unencrypted /boot.
Partition /boot can be protected with a chkboot package.
Cheers!