Hello, chayleaf writes: > From: chayleaf > > This is a patch that adds a new field for mapped-filesystem that allows > one to specify the LUKS encryption key via G-Expressions. > An example use case is using a key stored on an external device. This is a feature that many people have on their wishlist, and it looks like your code would do precisely that, however I have to admit that I am against adding this code into master for security reasons. The open-luks-device gexp, along with the whole passphrase [1], end up in the boot script in the store, and the guix store is r-xr-xr-x, meaning that any program on your computer is able to read it. This is a pretty significant security risk that can reduce the benefits of full-disk encryption to nothing, so having it easily available to users would work against them. Feel free to use this patch on your local installation though, if you understand the security risks :) On other distros, you can simply have keyfiles and initrds root-owned and r--------, and I think you could do something similar here, but you'd have to keep them out of the store and load them separately. This could be a solution, but I don't know off the top of my head how one could implement it. [1] the actual encryption key is stored encrypted inside the LUKS header, which is unlocked with a passphrase, roughly. -- Josselin Poiret