From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vagrant Cascadian Subject: Re: Unencrypted boot with encrypted root Date: Wed, 08 Apr 2020 09:22:29 -0700 Message-ID: <875zea3q2i.fsf@ponder> References: <87ftdmi7pp.fsf@ambrevar.xyz> <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain> <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain> <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de> <87d08jbpcc.fsf@gnu.org> <135d8491-53e8-46b6-b77a-fe6a4539b15d@www.fastmail.com> <878sj7i6p4.fsf@ponder> <6fc66a2a3f3cd71febb16bab2a0aeb65b6fdd147.camel@wine-logistix.de> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:41725) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jMDTK-0000Ms-9K for guix-devel@gnu.org; Wed, 08 Apr 2020 12:22:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jMDTJ-0004GI-2N for guix-devel@gnu.org; Wed, 08 Apr 2020 12:22:37 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:52672) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1jMDTI-0004Fr-Sp for guix-devel@gnu.org; Wed, 08 Apr 2020 12:22:37 -0400 In-Reply-To: <6fc66a2a3f3cd71febb16bab2a0aeb65b6fdd147.camel@wine-logistix.de> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: Ellen Papsch , Alex Griffin , guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 2020-04-08, Ellen Papsch wrote: > Am Dienstag, den 07.04.2020, 09:47 -0700 schrieb Vagrant Cascadian: >> On 2020-04-07, Alex Griffin wrote: >> > So we can put the key in its own initrd (outside of the store) >> >=20 >>=20 >> I believe it's also possible for grub to provide the key >> derived/decrypted from the passphrase entered at run-time >>=20 > > These may be dangerous waters. The key file in initrd is like a house > key under the mattress. A malicious process could look in the well > defined place and exfiltrate the key. Think state trojan horses. A > random name would not suffice, because other characteristics may help > identifying the file (i.e. size). The key for a LUKs volume is exposed in the running kernel and a compromised root account can exfiltrate it...=20 > Regarding passing on the key, you mean the master key? I don't know if > it's possible. If it's documented and recommended, I'd say go for it. > But keep in mind this is crypto we are talking about. If it's something > hacky we're straying from the path and may be inadvertently opening up > security holes. A security guru analysis would help. It would reduce the attack surface by not asking for the passphrase twice. You *have* to to it once from grub (presuming encrypted /boot), so it's simply re-using the unlocked key... > I think* Guix would burden itself too much with secrets. It's something > for the user and the installer should just make it more convenient, > with a nudge to a more secure setup. The key file should be stored in a > user specified location, preferably a pen drive (which is otherwise not > used). It can be removed, so no read can occur by arbitrary processes. > A passphrase should be added as backup. No need to store the key file in anything but ephemeral ram, ideally where it wouldn't be swapped to disk, in the running kernel... I'll look into the actual implementation of what I'm talking about rather than rambling on further about theoretical possibilities. live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXo36RgAKCRDcUY/If5cW qox+AP9kFTK8bylSrskuahmm+KGSDorZzErbzTed2xL1n1XiEgEA56WWTNkHfN/r iHg4otJGkL/0PcGdISfqDtjggrTL5Qc= =ouqa -----END PGP SIGNATURE----- --=-=-=--