From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Encrypted root partition
Date: Wed, 18 Jan 2017 22:16:24 +0100
Message-ID: <87inpc83x3.fsf@gnu.org>
References: <87vavd3k1t.fsf@gnu.org> <87a8cp4bqk.fsf@gmail.com>
	<877f7swllv.fsf@gnu.org> <87pojkitaf.fsf@gmail.com>
	<87eg00k372.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51625)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cTxaq-0002YP-JW
	for guix-devel@gnu.org; Wed, 18 Jan 2017 16:16:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1cTxan-0005eP-BL
	for guix-devel@gnu.org; Wed, 18 Jan 2017 16:16:32 -0500
In-Reply-To: <87eg00k372.fsf@gmail.com> (Chris Marusich's message of "Wed, 18
	Jan 2017 03:38:57 -0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Chris Marusich <cmmarusich@gmail.com>
Cc: guix-devel@gnu.org

Chris Marusich <cmmarusich@gmail.com> skribis:

> Chris Marusich <cmmarusich@gmail.com> writes:
>
>> ludo@gnu.org (Ludovic Court=C3=A8s) writes:
>>
>>> Chris Marusich <cmmarusich@gmail.com> skribis:
>>>
>>>> Is anyone actively working on documenting the new encrypted root stuff?
>>>> If not, I'm happy to try my hand at it.  I'm interested in trying to s=
et
>>>> it up on my laptop, anyway.
>>>
>>> I=E2=80=99ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb=
7ed72.
>>>
>>> Please send a patch if you think of improvements that can be made.
>>
>> I'm happy to report that I was successful in setting up an encrypted
>> root file system on my Libreboot laptop.  I have to enter the passphrase
>> twice, but that's no different from the normal case (without Libreboot).
>> It took me multiple days to get it working, though, because each time I
>> tried to run "guix system init", it took over 8 hours to finish!
>>
>> This is really good!  Thank you for adding this feature.
>
> As a bonus, I realized that one could use this feature to encrypt swap,
> also.  You can encrypt your swap area by using a swap file in the root
> file system.  Specifically, if you do something like this...
>
>  # Make the file readable/writable only by root.
>  sudo dd if=3D/dev/zero of=3D/swapfile bs=3D1MiB count=3D10240
>  sudo chmod 600 /swapfile
>  sudo mkswap --label swap /swapfile
>
> and then you add a single line to your operating system configuration
> file like this...
>
>  (swap-devices '("/swapfile"))

You may even be able to use /dev/mapper/something-encrypted here, albeit
with an additional passphrase prompt.

Ludo=E2=80=99.