From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ellen Papsch <ellen.papsch@wine-logistix.de>
Subject: Re: Unencrypted boot with encrypted root
Date: Mon, 06 Apr 2020 14:00:04 +0200
Message-ID: <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de>
References: <87ftdmi7pp.fsf@ambrevar.xyz>
 <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
 <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain>
 <a96461003ce1ff51cf8a39cdb56a8685c2e2a8dd.camel@wine-logistix.de>
 <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:37584)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jLQQG-0001Be-I8
 for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jLQQE-0001rH-Fz
 for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:11 -0400
Received: from dedi718.your-server.de ([78.46.1.118]:59828)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ellen.papsch@wine-logistix.de>)
 id 1jLQQE-0001n8-5u
 for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:10 -0400
In-Reply-To: <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Cc: guix-devel@gnu.org

Am Samstag, den 04.04.2020, 12:18 +0200 schrieb pelzflorian (Florian
Pelz):
> Could key files help in passing the passphrase on to the
> Linux kernel?  The Arch Wiki says this: [...]
> 

The key file would be another means of decrypting the master key, if I
understand LUKS correctly. It would be independent of the passphrase.
(In LUKS terminology, two slots are used).

It would definitely help usability not having to enter a passphrase
twice. The GUI/TUI installer should take care generating the file and
ensuring strict permissions, so user processes cannot read it. There is
still some risk, because root processes could read it. If the installer
would support an external medium for the file, that would be best
(IMHO).

Best regards