Calamares setting up encrpyted /boot (which gets decrypted with GRUB2) causes many issues.
- GRUB2 needs a very long time to decrypt the root disk.
- Need to enter full disk password twice, at grub boot menu and systemd during boot. This might be a missing dracut module or bug.
- And the worst issue: Keyboard layout issues. There is no way to define keyboard layout during GRUB2 pre-boot full disk encryption password entry. (If there is, these are very complicated, not suitable for a Debian derivative and also break SecureBoot.)
This should be no security issue. This is what most distributions are using. The kernel image is not secret. Unencrypted /boot that Debian (CLI looking) installer (“DI”) is using that too. Encrypted /boot is simply not ready due to these upstream bugs which will very most likely not be resolved anytime soon.
- Encryption does not work well with non-QWERTY keyboards · Issue #1203 · calamares/calamares · GitHub
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686817
- GNU GRUB - Bugs: bug #65113, Add All Keyboard Layouts and... [Savannah]
TODO:
- Find a distribution that uses Calamares and implemented unencrypted /boot.
- Maybe Ubuntu? Check
-
git clone https://git.launchpad.net/~ubuntu-qt-code/+git/calamares-settings-ubuntu
-
- Linux Mint?
- Elementary OS?
- Maybe Ubuntu? Check
- Copy over the Calamares config files to Kicksecure (if permissible by the license, which is probably the case).
- Change Kicksecure Calamares Installer to the usual unencrypted /boot partition.