From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Encrypted root partition Date: Wed, 18 Jan 2017 03:38:57 -0800 Message-ID: <87eg00k372.fsf@gmail.com> References: <87vavd3k1t.fsf@gnu.org> <87a8cp4bqk.fsf@gmail.com> <877f7swllv.fsf@gnu.org> <87pojkitaf.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57224) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cToa2-0003lA-Ex for guix-devel@gnu.org; Wed, 18 Jan 2017 06:39:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cToZz-0002OX-C5 for guix-devel@gnu.org; Wed, 18 Jan 2017 06:39:06 -0500 In-Reply-To: <87pojkitaf.fsf@gmail.com> (Chris Marusich's message of "Wed, 18 Jan 2017 01:58:16 -0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Chris Marusich writes: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> Chris Marusich skribis: >> >>> Is anyone actively working on documenting the new encrypted root stuff? >>> If not, I'm happy to try my hand at it. I'm interested in trying to set >>> it up on my laptop, anyway. >> >> I=E2=80=99ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb7= ed72. >> >> Please send a patch if you think of improvements that can be made. > > I'm happy to report that I was successful in setting up an encrypted > root file system on my Libreboot laptop. I have to enter the passphrase > twice, but that's no different from the normal case (without Libreboot). > It took me multiple days to get it working, though, because each time I > tried to run "guix system init", it took over 8 hours to finish! > > This is really good! Thank you for adding this feature. As a bonus, I realized that one could use this feature to encrypt swap, also. You can encrypt your swap area by using a swap file in the root file system. Specifically, if you do something like this... # Make the file readable/writable only by root. sudo dd if=3D/dev/zero of=3D/swapfile bs=3D1MiB count=3D10240 sudo chmod 600 /swapfile sudo mkswap --label swap /swapfile and then you add a single line to your operating system configuration file like this... (swap-devices '("/swapfile")) then your swap file will be automatically mounted during boot. You don't even have to enter your LUKS passphrase an additional time. I was pleasantly surprised to find out that encrypted swap was this easy! =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlh/U9EACgkQ3UCaFdgi Rp3CpBAAz8zU58Pc2dNcrrABZjs/uzEjM8aRLzI5/QlxmJOj7Yx65VtUDz0JDabj onDI5+LhNxhwBh3jQ6t6yz0lXMVsUCfOKOZTy/2Kttmz+tljXX+NrdLguQnxRFVc zykHqgsLXxkJj6nGQX4RYJKEckNP8M6e2tTPtcvi6IrTV4hlw4SBSxaaWAR72CoE eK8fMRiVWHcWE1k0wMCX1++7cnokWtK5bWYNQb3Cimetf/iypCNullGsL6oc4t6s RXfcfnnkDbbgig/FoEC/rV58weEiN5BfGMD4GLPCmYOp4/A1GyOOXloVLedLiy0+ YXyJKKWPyf1RtAtQ1dj/LVdlAFaVvjMVBBS0PfFjcv2zI1EEUnQYNKRTHyf/fBnT +g2ROXuQslt+ypM55Wtx2facHMvOBzbgbwPuWfNrxXiWOLy71cxx8C5dKq/YnBj4 jAEItlktU76TVWrtbE/xJqvHZU06aQt5CboJskmwFlTugoOAAxyhcFlUnh2wOb6+ psD50pCEKjtGnIC4uE/q6lIbeyEou8C5PjdtRtQfmW8n7Nlqk6q5uTqC4vRi3/wX vWULE6R/C6gsz3Mj0m4W1RzJIQp0nmPssbXtYqLuWGWhQhIHeAQeQQZWU5AxELlc 3UklbYgRWKD9YZ4J2u3DfBHLKqCZqqewsI0CFfUcG5RWsGpAJHM= =yCRU -----END PGP SIGNATURE----- --=-=-=--