(address . bug-guix@gnu.org)
It would be neat if guix supported creating an initramfs that contains
LUKS key-files and decrypts partitions with those.
Consider the following simple drive and partition setup:
/dev/sda: Has GRUB installed
/dev/sda1: Contains LUKS partition, meant to be mounted on / (root)
/dev/sda2: Contains LUKS partition, meant to be mounted on /home
Without key-files, the boot process goes like this:
1. GRUB asks for the key for /dev/sda1 (key prompt 1)
2. The GRUB menu appears and lets you select the system to boot
3. The initramfs is loaded and starts doing its job
4. The initramfs asks for the key for /dev/sda1 (key prompt 2)
5. The initramfs(?) asks for the key for /dev/sda2 (key prompt 3)
6. The system continues and finishes booting
(I'm not sure if in step #5 it's still the initramfs that asks for the
key for sda2, or whether the initramfs is done after mounting sda1 and
switching root to it.)
This means the user has to enter a password three times, and two of the
times it's the same password.
If the initramfs contained key-files for the two partitions and were
able to use them instead of prompting the user, then the user would only
need to enter a key for GRUB, and further decryptions would happen
automatically. (The initramfs itself resides on sda1, so the key-files
are safe.)
Taylan