I came across this (dm-crypt/Device encryption - ArchWiki – “With a keyfile embedded in the initramfs”) section about initramfs embedded keyfiles when reading about manually setting up an encrypted system with swap partition.
Manjaro seems to do this setup choosing “Swap (with hibernate)” during install.
The Warning states
- Using some form of authentication earlier in the boot process. Otherwise auto-decryption will occur, defeating completely the purpose of block device encryption.
- /boot is encrypted. Otherwise root on a different installation (including the live environment) can extract your key from the initramfs, and unlock the device without any other authentication.
What confuses me is the part about /boot being encrypted. On the wiki it states that mkinitcpio embedds the keyfile.
The Manjaro installer set up the disk like this:
sda disk
├─sda1 part /boot/efi
├─sda2 part
│ └─luks-1 crypt /
└─sda3 part
└─luks-2 crypt [SWAP]
That means if mkinitcpio puts the keyfile in /boot it should be safe and if it puts it in /boot/efi it isn’t. But where does mkinitcpio put it ?