I can (partly) answer my own question.
I realized that /boot inside /root would either need the keyfile integrated in initramfs (which I don't want) or having 2 passwords anyway (as with separate boot).
So I decided to have a separate boot partition with the grub configuration taken from paddy landau code (thank you so much!).
however, with secure boot enabled, I get a:
Code:
error: no such device: <long-UUID-string>
error: no server is specified
error: you need to load the kernel first
Encrypted boot and secure boot together seem not to work yet, see also https://ubuntuforums.org/showthread.php?t=2398512 and https://bugs.launchpad.net/ubuntu/+s...2/+bug/1401532
So currently secure boot off, but with encrypted boot.
I have the problem that after a kernel/initramfs update, the boot breaks. I'm not sure why, because my MBR encrypted /boot partition setups don't break with kernel updates, and I configured the EFI setup exactly the same (except grub configuration directory and grub installation location of course), and I don't use a keyfile for /root in initramfs.
I might as well just use paddy landau's automatic script the next time
Bookmarks