From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: Unencrypted boot with encrypted root
Date: Tue, 07 Apr 2020 11:46:27 +0200
Message-ID: <87d08jbpcc.fsf@gnu.org>
References: <87ftdmi7pp.fsf@ambrevar.xyz>
 <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
 <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain>
 <a96461003ce1ff51cf8a39cdb56a8685c2e2a8dd.camel@wine-logistix.de>
 <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain>
 <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:36402)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>) id 1jLkoS-0000Uy-Dc
 for guix-devel@gnu.org; Tue, 07 Apr 2020 05:46:33 -0400
In-Reply-To: <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de>
 (Ellen Papsch's message of "Mon, 06 Apr 2020 14:00:04 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Ellen Papsch <ellen.papsch@wine-logistix.de>
Cc: guix-devel@gnu.org

Hi,

Ellen Papsch <ellen.papsch@wine-logistix.de> skribis:

> Am Samstag, den 04.04.2020, 12:18 +0200 schrieb pelzflorian (Florian
> Pelz):
>> Could key files help in passing the passphrase on to the
>> Linux kernel?  The Arch Wiki says this: [...]
>>=20
>
> The key file would be another means of decrypting the master key, if I
> understand LUKS correctly. It would be independent of the passphrase.
> (In LUKS terminology, two slots are used).
>
> It would definitely help usability not having to enter a passphrase
> twice. The GUI/TUI installer should take care generating the file and
> ensuring strict permissions, so user processes cannot read it. There is
> still some risk, because root processes could read it. If the installer
> would support an external medium for the file, that would be best
> (IMHO).

The difficulty is that any file traveling through the store is
world-readable.  It=E2=80=99s hard to avoid.

Ludo=E2=80=99.