[13:24] <Tuor> In the server installer, it is possible to create an encrypted Volume Group with Physical Devices in multiple disks. But then the system doesn't boot...
[13:46] <RoyK> Tuor: not sure, but smells like grub is having issues. Perhaps a separate, unencrypted boot partition could be handy?
[13:47] <Tuor> Can try.
[16:46] <mason> Tuor: grub's concept of multiple cryptroots is broken. I took a stab at fixing it once, and got syntax generation to work, but it wasn't clear whether or not it did the right thing when passed multiple cryptroots.
[16:47] <mason> Tuor: An interesting option is stuffing kernel and initramfs in your ESP, as then you can use the EFI stub loader in the kernel, and have access to everything your initramfs knows about right off the bat.
[16:49] <mason> I was doing that here until I ran into a box that refused to take more than one EFI boot variable. While this is inherently broken, I moved back to GRUB and an unencrypted /boot mirror, since I could have one entry for GRUB and have that load up a menu with options, where with the EFI stub loader I'd have multiple entries for current and older kernels.
[20:44] <Tuor> Sounds somewhat complicated. Having /boot unencrypted doesn't sound soo bad. There will never be any sensible data.
[20:49] <RoyK> Tuor: just use a separate partition or md mirror (or lvm mirror?) for the boot. it's not hard. you might need to use the old installer. I haven't tried the new one lately.
[20:51] <RoyK> Tuor: remember that booting off raid-5 or -6 an be a bit hard, if it works at all. Better setup a raid-1 or raid-10 for the boot stuff and use raid-5 or -6 for the rest with encryption and what you might need there
[20:53] <Tuor> OK. Sounds doable. Thanks!