On 2020-04-07, Alex Griffin wrote:
> On Tue, Apr 7, 2020, at 9:46 AM, Ludovic Courtès wrote:
>> The difficulty is that any file traveling through the store is
>> world-readable.  It’s hard to avoid.
>
> If we can create the key file outside of the store, then GRUB is capable of being passed multiple initrds. So we can put the key in its own initrd (outside of the store), continue to generate the normal initrd in /gnu/store, and pass both of them to GRUB. The key never enters the store in any way.
>
> The result is that the user only needs to enter a password into GRUB, because GRUB then passes the key file to the kernel.

I believe it's also possible for grub to provide the key
derived/decrypted from the passphrase entered at run-time, obviating the
need for a separate key entirely. I don't have details on how to do
this, but I *think* that's what recent Debian installs do... it
certainly would simplify key slot management issues.


live well,
  vagrant