unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#32054: [wishlist] Support LUKS key-files in initramfs
@ 2018-07-04 19:45 Taylan Kammer
  0 siblings, 0 replies; only message in thread
From: Taylan Kammer @ 2018-07-04 19:45 UTC (permalink / raw)
  To: 32054

It would be neat if guix supported creating an initramfs that contains
LUKS key-files and decrypts partitions with those.

Consider the following simple drive and partition setup:

    /dev/sda: Has GRUB installed
    /dev/sda1: Contains LUKS partition, meant to be mounted on / (root)
    /dev/sda2: Contains LUKS partition, meant to be mounted on /home

Without key-files, the boot process goes like this:

1. GRUB asks for the key for /dev/sda1 (key prompt 1)
2. The GRUB menu appears and lets you select the system to boot
3. The initramfs is loaded and starts doing its job
4. The initramfs asks for the key for /dev/sda1 (key prompt 2)
5. The initramfs(?) asks for the key for /dev/sda2 (key prompt 3)
6. The system continues and finishes booting

(I'm not sure if in step #5 it's still the initramfs that asks for the
key for sda2, or whether the initramfs is done after mounting sda1 and
switching root to it.)

This means the user has to enter a password three times, and two of the
times it's the same password.

If the initramfs contained key-files for the two partitions and were
able to use them instead of prompting the user, then the user would only
need to enter a key for GRUB, and further decryptions would happen
automatically.  (The initramfs itself resides on sda1, so the key-files
are safe.)


Taylan

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-07-04 17:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-04 19:45 bug#32054: [wishlist] Support LUKS key-files in initramfs Taylan Kammer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).