[PATCH 0/2] Add support for unlocking root device via a key file

  • Open
  • quality assurance status badge
Details
2 participants
  • Dominik Riva
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal
T
T
Tomas Volf wrote on 1 Aug 22:53 +0200
Download
(address . guix-patches@gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
cover.1690922760.git.wolf@wolfsden.cz
Download
When having an encrypted /boot, it is currently necessary to input a password
twice, once for the /boot (so that grub can find its configuration) and later
once more in order to actually unlock the / itself. It is not very user
friendly and gets annoying quickly in more exotic setups. For example with /
on RAID1 BTRFS, password needs to be entered 4 times. And even without that,
for large encrypted arrays, password needs to be entered once per drive.

The obvious solution to this is to just use --key-file option of the luksOpen
command, however support for that was not implemented. This series adds that
support.

Another problem is where to store the key file, since it needs to be both
present in the initrd, but it cannot be in the store (since that would make it
world-readable, and you do not want that for an encryption key). Luckily for
us, grub can load multiple initrds and merge them, so option to specify
additional initrd (not from the store) is added as well.

Since extlinux does not look like supporting encrypted /boot (and this new
option should not be used for anything else), it was added only into into
grub.

Tomas Volf (2):
mapped-devices: Allow unlocking by a key file
gnu: bootloader: grub: Add support for loading an additional initrd

doc/guix.texi | 32 +++++++++++++++++
gnu/bootloader.scm | 6 +++-
gnu/bootloader/grub.scm | 6 ++--
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
4 files changed, 83 insertions(+), 28 deletions(-)


base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
--
2.41.0
T
T
Tomas Volf wrote on 1 Aug 23:09 +0200
Download
[PATCH 1/2] mapped-devices: Allow unlocking by a key file
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
f868b4ab8b6ffdee7cfa0f2fc0c4ee3d7100f081.1690922760.git.wolf@wolfsden.cz
Download
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)

Toggle diff (138 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..79b776e81e 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
--
2.41.0
T
T
Tomas Volf wrote on 1 Aug 23:09 +0200
Download
[PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz
Download
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)

Toggle diff (85 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
T
T
Tomas Volf wrote on 2 Aug 15:02 +0200
Download
[PATCH v2 1/2] mapped-devices: Allow unlocking by a key file
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz
Download
Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
untabify
doc/guix.texi | 12 +++++++
gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
2 files changed, 54 insertions(+), 25 deletions(-)

Toggle diff (140 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name. It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file. If it fails, password unlock is attempted as well. Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
@defvar raid-device-mapping
This defines a RAID device, which is assembled using the @code{mdadm}
command from the package with the same name. It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..0755036763 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
check-device-initrd-modules ;XXX: needs a better place
luks-device-mapping
+ luks-device-mapping-with-options
raid-device-mapping
lvm-device-mapping))
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'."
(with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
((target)
#~(let ((source #$(if (uuid? source)
(uuid-bytevector source)
- source)))
+ source))
+ (keyfile #$key-file))
;; XXX: 'use-modules' should be at the top level.
(use-modules (rnrs bytevectors) ;bytevector?
((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
;; 'cryptsetup open' requires standard input to be a tty to allow
;; for interaction but shepherd sets standard input to /dev/null;
;; thus, explicitly request a tty.
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
-
- ;; Note: We cannot use the "UUID=source" syntax here
- ;; because 'cryptsetup' implements it by searching the
- ;; udev-populated /dev/disk/by-id directory but udev may
- ;; be unavailable at the time we run this.
- (if (bytevector? source)
- (or (let loop ((tries-left 10))
- (and (positive? tries-left)
- (or (find-partition-by-luks-uuid source)
- ;; If the underlying partition is
- ;; not found, try again after
- ;; waiting a second, up to ten
- ;; times. FIXME: This should be
- ;; dealt with in a more robust way.
- (begin (sleep 1)
- (loop (- tries-left 1))))))
- (error "LUKS partition not found" source))
- source)
-
- #$target)))))))
+ (let ((partition
+ ;; Note: We cannot use the "UUID=source" syntax here
+ ;; because 'cryptsetup' implements it by searching the
+ ;; udev-populated /dev/disk/by-id directory but udev may
+ ;; be unavailable at the time we run this.
+ (if (bytevector? source)
+ (or (let loop ((tries-left 10))
+ (and (positive? tries-left)
+ (or (find-partition-by-luks-uuid source)
+ ;; If the underlying partition is
+ ;; not found, try again after
+ ;; waiting a second, up to ten
+ ;; times. FIXME: This should be
+ ;; dealt with in a more robust way.
+ (begin (sleep 1)
+ (loop (- tries-left 1))))))
+ (error "LUKS partition not found" source))
+ source)))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ "--key-file" keyfile
+ partition #$target)))
+ (zero? (system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "open" "--type" "luks"
+ partition #$target)))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
(close close-luks-device)
(check check-luks-device)))
+(define* (luks-device-mapping-with-options #:key key-file)
+ "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+ (mapped-device-kind
+ (inherit luks-device-mapping)
+ (open (λ (source targets) (open-luks-device source targets
+ #:key-file key-file)))))
+
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
--
2.41.0
T
T
Tomas Volf wrote on 2 Aug 15:02 +0200
Download
[PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
(address . 65002@debbugs.gnu.org)(name . Tomas Volf)(address . wolf@wolfsden.cz)
c2160a7c687622ffb7404004e183905299e6a695.1690981365.git.wolf@wolfsden.cz
Download
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)

Toggle diff (85 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
D
D
Dominik Riva wrote on 10 Aug 02:22 +0200
Download
[PATCH 0/2] Add support for unlocking root device via a key file
(name . 65002@debbugs.gnu.org)(address . 65002@debbugs.gnu.org)
lEqw2_aHah7ibE60mIRq6EKG9YmJkiXnFZO4W-QFkURIAXUkM-9bUIvjVs8KJU0R0df8c-TDu9a58MioukopI8DuheY7e1hdPVzVUwVOq-M=@protonmail.ch
Download
Hi,

I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.


;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  ;; /root in /root/key-file.cpio refers to the

  ;; /dev/mapper/enc btrfs root subvolume and not the home of root.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader-luks2)
                (targets '("/boot/efi"))
                (keyboard-layout keyboard-layout)
                (extra-initrd "/root/key-file.cpio")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
          (target "enc")
          (type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))


The snipped from https://issues.guix.gnu.org/55723#0also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.

But now I have a booting system and the passphrase only gets asked for once.


Thanks,
Dominik


Attachment: publickey - driva@protonmail.ch - 0x1019089F.asc
Attachment: signature.asc
?