Support for root filesystem on btrfs raid1 on two LUKS devices

  • Open
  • quality assurance status badge
Details
One participant
  • amano.kenji
Owner
unassigned
Submitted by
amano.kenji
Severity
normal
A
A
amano.kenji wrote on 30 Aug 09:07 +0200
(name . bug-guix@gnu.org)(address . bug-guix@gnu.org)
-0PYKHO0ibVEYpJmDoSQAxcjyCsrp6q43lhdJeWrLK-axts_Oe8bd25m8I-URuDnpv6eBPBbmz5wb0WOqx3wonFOMYXzX9uqgpGgyc8jlYk=@proton.me
Imagine that root filesystem is btrfs raid1 on two LUKS devices.

To mount it on initial ram disk, guix has to first unlock two LUKS devices with one password.
A
A
amano.kenji wrote on 5 Sep 03:56 +0200
A new insight
(name . 72889@debbugs.gnu.org)(address . 72889@debbugs.gnu.org)
A_TAuyeNIZ7YW8B-C1J0QAeOkZd2ZJFO7eybwej6N--mx3SMcWbp54afXfpr07zkyF5K3xCCT9QwCzTnvD1cl0rSS709W06f_8rzaRbPGvs=@proton.me
I guess this is going to require passphrase reuse for mapped devices.
A
A
amano.kenji wrote on 10 Sep 15:14 +0200
I thought of a possible way to do this.
(name . 72889@debbugs.gnu.org)(address . 72889@debbugs.gnu.org)
EKx5__W2YAog5dIoQd-wnv5iQT-p1MULD8UZKuYlku7QckCkfV1mY7ke59qapK33KhxA8BSBpB2JxtE12BhDC-j8IUKf9dFObhNMiXCZr5A=@proton.me
- /dev/sda

/dev/sda1: A tiny LUKS partition that's filled with the content of a keyfile without any filesystem format.
/dev/sda2: /boot for grub. It also serves as FAT32 EFI partition.

- /dev/sdb

/dev/sdb1: /gnu/store on btrfs raid1
/dev/sdb2: / on btrfs raid1 on LUKS

- /dev/sdc

/dev/sdc1: /gnu/store on btrfs raid1
/dev/sdc2: / on btrfs raid1 on LUKS

Open /dev/sda1 as a luke device, /dev/mapper/key, with one password. It contains a keyfile without any filesystem format. Use /dev/mapper/key as a keyfile for all other LUKS devices in mapped devices.

This exposes /gnu/store, but /gnu/store is not supposed to have any sensitive data. This obviously makes it practically impossible to detect physical tempering of data, but if you store it at a secure location, you don't have to worry too much about evil maid attack.

RAID1 for physically secure servers is enough to ensure some availability when a disk fails.

For laptops that you carry, you are not going to use btrfs raid1, and you can just have unencrypted /boot on fat32 and / on btrfs on luks. extra-initrd contains a keyfile for / so that I don't have to type the password twice.

A desktop computer doesn't require server-level availability, but people who have money can still put root on encrypted btrfs raid1.

Perhaps, can this be documented in the cook book?
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 72889@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 72889
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch