Encrypted root partition

Encrypted root partition

[Ludovic Courtès]

Hello Guix!

In case you missed it, GuixSD now supports LUKS-encrypted root
partitions, finally!

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21843#48

And there’s a system test, which can also serve as an example for people
who want to test it:

  http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm#n392

The test is pretty fun because it resorts to OCR on QEMU screenshots to
determine when it can enter the passphrase (when booting the installed
system).

  http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm#n456
  http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/build/marionette.scm#n177

It should turn green on Hydra when it gets to run it:

  https://hydra.gnu.org/job/gnu/master/test.encrypted-root-os.x86_64-linux

In the meantime, you can always run:

  make check-system TESTS=encrypted-root-os

Now we need documentation.  Petter had submitted a patch back in
February(!) so I guess I’ll start from there and see if any adjustments
need to be made.

Feedback welcome!

Ludo’.

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1551 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Hello Guix!
>
> In case you missed it, GuixSD now supports LUKS-encrypted root
> partitions, finally!
>
>   https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21843#48
>
> And there’s a system test, which can also serve as an example for people
> who want to test it:
>
>   http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm#n392
>
> The test is pretty fun because it resorts to OCR on QEMU screenshots to
> determine when it can enter the passphrase (when booting the installed
> system).
>
>   http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/tests/install.scm#n456
>   http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/build/marionette.scm#n177
>
> It should turn green on Hydra when it gets to run it:
>
>   https://hydra.gnu.org/job/gnu/master/test.encrypted-root-os.x86_64-linux
>
> In the meantime, you can always run:
>
>   make check-system TESTS=encrypted-root-os
>
> Now we need documentation.  Petter had submitted a patch back in
> February(!) so I guess I’ll start from there and see if any adjustments
> need to be made.
>
> Feedback welcome!
>
> Ludo’.

Wow!  This is super cool!  Using OCR is a neat idea.  It looks simpler
to implement than I would have imagined it might be.  Thank you for
continuing to pave the way for system tests.

Is anyone actively working on documenting the new encrypted root stuff?
If not, I'm happy to try my hand at it.  I'm interested in trying to set
it up on my laptop, anyway.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Encrypted root partition

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> Is anyone actively working on documenting the new encrypted root stuff?
> If not, I'm happy to try my hand at it.  I'm interested in trying to set
> it up on my laptop, anyway.

I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.

Please send a patch if you think of improvements that can be made.

Ludo’.

Re: Encrypted root partition

[ng0]

Ludovic Courtès <ludo@gnu.org> writes:

> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Is anyone actively working on documenting the new encrypted root stuff?
>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>> it up on my laptop, anyway.
>
> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>
> Please send a patch if you think of improvements that can be made.
>
> Ludo’.
>
>
I can confirm a first success. I used a test system "bare metal"
and guix pull'ed from within it, with the addition of the last
line in your updated example (properties mapped-devices) I was
able to init an luks test system which only has bios_boot
partition outside of the luks partition and swap being a file.

It works as a test.

Thanks for your work on this!

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> Is anyone actively working on documenting the new encrypted root stuff?
>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>> it up on my laptop, anyway.
>
> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>
> Please send a patch if you think of improvements that can be made.

I'm happy to report that I was successful in setting up an encrypted
root file system on my Libreboot laptop.  I have to enter the passphrase
twice, but that's no different from the normal case (without Libreboot).
It took me multiple days to get it working, though, because each time I
tried to run "guix system init", it took over 8 hours to finish!

This is really good!  Thank you for adding this feature.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1661 bytes --]

Chris Marusich <cmmarusich@gmail.com> writes:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>
>>> Is anyone actively working on documenting the new encrypted root stuff?
>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>> it up on my laptop, anyway.
>>
>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>
>> Please send a patch if you think of improvements that can be made.
>
> I'm happy to report that I was successful in setting up an encrypted
> root file system on my Libreboot laptop.  I have to enter the passphrase
> twice, but that's no different from the normal case (without Libreboot).
> It took me multiple days to get it working, though, because each time I
> tried to run "guix system init", it took over 8 hours to finish!
>
> This is really good!  Thank you for adding this feature.

As a bonus, I realized that one could use this feature to encrypt swap,
also.  You can encrypt your swap area by using a swap file in the root
file system.  Specifically, if you do something like this...

 # Make the file readable/writable only by root.
 sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
 sudo chmod 600 /swapfile
 sudo mkswap --label swap /swapfile

and then you add a single line to your operating system configuration
file like this...

 (swap-devices '("/swapfile"))

then your swap file will be automatically mounted during boot.  You
don't even have to enter your LUKS passphrase an additional time.  I was
pleasantly surprised to find out that encrypted swap was this easy!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Encrypted root partition

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]

On Wed, Jan 18, 2017 at 03:38:57AM -0800, Chris Marusich wrote:
> Chris Marusich <cmmarusich@gmail.com> writes:
> 
> As a bonus, I realized that one could use this feature to encrypt swap,
> also.  You can encrypt your swap area by using a swap file in the root
> file system.  Specifically, if you do something like this...
> 
>  # Make the file readable/writable only by root.
>  sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
>  sudo chmod 600 /swapfile
>  sudo mkswap --label swap /swapfile
> 
> and then you add a single line to your operating system configuration
> file like this...
> 
>  (swap-devices '("/swapfile"))
> 
> then your swap file will be automatically mounted during boot.  You
> don't even have to enter your LUKS passphrase an additional time.  I was
> pleasantly surprised to find out that encrypted swap was this easy!
> 

This seems like something that would be nice to add to the manual :)


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Encrypted root partition

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> Chris Marusich <cmmarusich@gmail.com> writes:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>
>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>>> it up on my laptop, anyway.
>>>
>>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>>
>>> Please send a patch if you think of improvements that can be made.
>>
>> I'm happy to report that I was successful in setting up an encrypted
>> root file system on my Libreboot laptop.  I have to enter the passphrase
>> twice, but that's no different from the normal case (without Libreboot).
>> It took me multiple days to get it working, though, because each time I
>> tried to run "guix system init", it took over 8 hours to finish!
>>
>> This is really good!  Thank you for adding this feature.
>
> As a bonus, I realized that one could use this feature to encrypt swap,
> also.  You can encrypt your swap area by using a swap file in the root
> file system.  Specifically, if you do something like this...
>
>  # Make the file readable/writable only by root.
>  sudo dd if=/dev/zero of=/swapfile bs=1MiB count=10240
>  sudo chmod 600 /swapfile
>  sudo mkswap --label swap /swapfile
>
> and then you add a single line to your operating system configuration
> file like this...
>
>  (swap-devices '("/swapfile"))

You may even be able to use /dev/mapper/something-encrypted here, albeit
with an additional passphrase prompt.

Ludo’.

Re: Encrypted root partition

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>
>>> Is anyone actively working on documenting the new encrypted root stuff?
>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>> it up on my laptop, anyway.
>>
>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>
>> Please send a patch if you think of improvements that can be made.
>
> I'm happy to report that I was successful in setting up an encrypted
> root file system on my Libreboot laptop.  I have to enter the passphrase
> twice, but that's no different from the normal case (without Libreboot).
> It took me multiple days to get it working, though, because each time I
> tried to run "guix system init", it took over 8 hours to finish!

Woow, was it building stuff, or was downloading super slow?  Was is a
desktop-style install?

Thanks for your report!

Ludo’.

Re: Encrypted root partition

[Mike Gerwitz]

[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]

On Wed, Jan 18, 2017 at 03:38:57 -0800, Chris Marusich wrote:
> As a bonus, I realized that one could use this feature to encrypt swap,
> also.  You can encrypt your swap area by using a swap file in the root
> file system.  Specifically, if you do something like this...

Using an ephemeral key for swap (that is: a temporary key that is
randomly generated and never stored) is preferred: when you unmount it,
the data won't be recoverable.

Mounting a normal swapfile, on the other hand, writes swapped memory to
disk, which opens a host of potential security and forensic issues.

Of course, so does traditional swap. :)

I'm not familiar enough with Guix (yet!) to know how to set it up, but I
also haven't done any research.  Arch has a good summary:

  https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
Old: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 978 bytes --]

Mike Gerwitz <mtg@gnu.org> writes:

> On Wed, Jan 18, 2017 at 03:38:57 -0800, Chris Marusich wrote:
>> As a bonus, I realized that one could use this feature to encrypt swap,
>> also.  You can encrypt your swap area by using a swap file in the root
>> file system.  Specifically, if you do something like this...
>
> Using an ephemeral key for swap (that is: a temporary key that is
> randomly generated and never stored) is preferred: when you unmount it,
> the data won't be recoverable.
>
> Mounting a normal swapfile, on the other hand, writes swapped memory to
> disk, which opens a host of potential security and forensic issues.
>
> Of course, so does traditional swap. :)
>
> I'm not familiar enough with Guix (yet!) to know how to set it up, but I
> also haven't done any research.  Arch has a good summary:
>
>   https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

Interesting!  Thank you for the additional information.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1387 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>
>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>>> it up on my laptop, anyway.
>>>
>>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>>
>>> Please send a patch if you think of improvements that can be made.
>>
>> I'm happy to report that I was successful in setting up an encrypted
>> root file system on my Libreboot laptop.  I have to enter the passphrase
>> twice, but that's no different from the normal case (without Libreboot).
>> It took me multiple days to get it working, though, because each time I
>> tried to run "guix system init", it took over 8 hours to finish!
>
> Woow, was it building stuff, or was downloading super slow?  Was is a
> desktop-style install?

It was a desktop-style install.  Many packages were built from source,
even though some were downloaded via substitutes, also.  It was
particularly painful because I didn't know how to save and re-use the
result of the first build attempt, so I'm sure I wasted a lot of time
starting over and rebuilding the same packages a second time.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Encrypted root partition

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>
>>> ludo@gnu.org (Ludovic Courtès) writes:
>>>
>>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>>
>>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>>>> it up on my laptop, anyway.
>>>>
>>>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>>>
>>>> Please send a patch if you think of improvements that can be made.
>>>
>>> I'm happy to report that I was successful in setting up an encrypted
>>> root file system on my Libreboot laptop.  I have to enter the passphrase
>>> twice, but that's no different from the normal case (without Libreboot).
>>> It took me multiple days to get it working, though, because each time I
>>> tried to run "guix system init", it took over 8 hours to finish!
>>
>> Woow, was it building stuff, or was downloading super slow?  Was is a
>> desktop-style install?
>
> It was a desktop-style install.  Many packages were built from source,
> even though some were downloaded via substitutes, also.  It was
> particularly painful because I didn't know how to save and re-use the
> result of the first build attempt, so I'm sure I wasted a lot of time
> starting over and rebuilding the same packages a second time.

There’s currently no option to resume an install unfortunately.

I’m surprised though.  0.12.0 binaries are still available on
hydra.gnu.org AFAIK, or at least we (i.e., Mark) took the appropriate
measures to protect them from garbage collection.

I guess I should try a desktop install and see which substitutes are
missing.

Ludo’.

Re: Encrypted root partition

[dian_cecht]

On Wed, Jan 18, 2017 at 11:08:22PM -0500, Mike Gerwitz wrote:
> Using an ephemeral key for swap (that is: a temporary key that is
> randomly generated and never stored) is preferred: when you unmount it,
> the data won't be recoverable.
> 

I just wanted to say that this can break suspend-to-disk, and so if someone is
going to make a note of something in the manual, said breakage should also be
mentioned, but if suspend-to-disk isn't needed, this is the ideal option.

I also want to mention that I seem to recall there is a way to get the kernel to
store suspend-to-disk info somewhere other than root, but I don't recall the
method, but I do recall it being a bit annoying to setup.

Re: Encrypted root partition

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> Chris Marusich <cmmarusich@gmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>
>>>> ludo@gnu.org (Ludovic Courtès) writes:
>>>>
>>>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>>>
>>>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>>>> If not, I'm happy to try my hand at it.  I'm interested in trying to set
>>>>>> it up on my laptop, anyway.
>>>>>
>>>>> I’ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7ed72.
>>>>>
>>>>> Please send a patch if you think of improvements that can be made.
>>>>
>>>> I'm happy to report that I was successful in setting up an encrypted
>>>> root file system on my Libreboot laptop.  I have to enter the passphrase
>>>> twice, but that's no different from the normal case (without Libreboot).
>>>> It took me multiple days to get it working, though, because each time I
>>>> tried to run "guix system init", it took over 8 hours to finish!
>>>
>>> Woow, was it building stuff, or was downloading super slow?  Was is a
>>> desktop-style install?
>>
>> It was a desktop-style install.  Many packages were built from source,
>> even though some were downloaded via substitutes, also.  It was
>> particularly painful because I didn't know how to save and re-use the
>> result of the first build attempt, so I'm sure I wasted a lot of time
>> starting over and rebuilding the same packages a second time.
>
> There’s currently no option to resume an install unfortunately.
>
> I’m surprised though.  0.12.0 binaries are still available on
> hydra.gnu.org AFAIK, or at least we (i.e., Mark) took the appropriate
> measures to protect them from garbage collection.
>
> I guess I should try a desktop install and see which substitutes are
> missing.

It's probably because I ran 'guix pull' before installing.  Maybe I
shouldn't have done that!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]