[wishlist] Support LUKS key-files in initramfs

  • Open
  • quality assurance status badge
Details
3 participants
  • Jakub K?dzio?ka
  • Tobias Geerinckx-Rice
  • Taylan Kammer
Owner
Somebody
Submitted by
Taylan Kammer
Severity
wishlist
Merged with
T
T
Taylan Kammer wrote on 4 Jul 2018 21:45
(address . bug-guix@gnu.org)
87wouayecw.fsf@gmail.com
It would be neat if guix supported creating an initramfs that contains
LUKS key-files and decrypts partitions with those.

Consider the following simple drive and partition setup:

/dev/sda: Has GRUB installed
/dev/sda1: Contains LUKS partition, meant to be mounted on / (root)
/dev/sda2: Contains LUKS partition, meant to be mounted on /home

Without key-files, the boot process goes like this:

1. GRUB asks for the key for /dev/sda1 (key prompt 1)
2. The GRUB menu appears and lets you select the system to boot
3. The initramfs is loaded and starts doing its job
4. The initramfs asks for the key for /dev/sda1 (key prompt 2)
5. The initramfs(?) asks for the key for /dev/sda2 (key prompt 3)
6. The system continues and finishes booting

(I'm not sure if in step #5 it's still the initramfs that asks for the
key for sda2, or whether the initramfs is done after mounting sda1 and
switching root to it.)

This means the user has to enter a password three times, and two of the
times it's the same password.

If the initramfs contained key-files for the two partitions and were
able to use them instead of prompting the user, then the user would only
need to enter a key for GRUB, and further decryptions would happen
automatically. (The initramfs itself resides on sda1, so the key-files
are safe.)


Taylan
T
T
Tobias Geerinckx-Rice wrote on 4 Jan 2020 21:01
(no subject)
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
87tv5b3saq.fsf@nckx
severity 38924 wishlist
merge 32054 38924
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4Q7v0ACgkQ2Imw8BjF
STz5yA/+L8+1vl2u7U6RLL1rzX3box8t4NI8Hu9r6vjx0iJmHy7j8mfd2cHWBxPH
ZIiP6sGDU77QFtbWkFJY6iRdzNRbn2I5zIw1l75shIp2fdrYkwWHq859zYVop3N2
xa2f+oY1/HVZH7vSs5g4tha6J2zyIBTtP8czg4n/4xTlQLAD1CQzxbqKM3afHMQ6
6xc3Z1MhYumC5SSuBvqM5hFKNlOSl3OlpKkfxLdFQjG472y6ISMOaCqKtd21C3KT
0wn1X8/UzxBC7gTflYCz8nx2OglzSkSmZsiYRmydWIcxa0iLBBzDiT4/z9KlFmN1
lpQvx+m8V6wZMh06hVsHiA+v/EUvdbA8vJP7NSAgyx3QyZRgE2IuYezfYcS16wA7
89Gisml0loqU5Ry0OOuwahHfYFikjhtnzAEwEjsjTk9HIuMHEEszWQpKKJ84p60d
yHsiW+NAMJmGTrHFUq3vzXenO9W7W4ahCrtoHXtZyhNUXPEYDfv0bzxdXjGeHAlj
L0jP77ZavafrcISVTprwvXtvSrMbMjqIG98w7UkaxJBKZwB2r9q48xlHL0U+GuOb
QKX8SInxiUAGRqjy0bbaSHlh52fUcT9Zw1mwZok9oeLMWzoD+m6wPIhrbo/ke8Ay
3fR/zoNzk6rsd1YqJXPxJz8bXBDpKknLtd6yLXGyp+7vn7lEEio=
=Shsz
-----END PGP SIGNATURE-----

J
J
Jakub K?dzio?ka wrote on 14 Jan 2020 01:02
Assigning bugs I will soon send patches for to myself (where soon = a few days)
(address . control@debbugs.gnu.org)
20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net
owner 38884 !
owner 32054 !
thanks
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 32054@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 32054
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch