From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Encrypted root partition Date: Wed, 18 Jan 2017 22:16:24 +0100 Message-ID: <87inpc83x3.fsf@gnu.org> References: <87vavd3k1t.fsf@gnu.org> <87a8cp4bqk.fsf@gmail.com> <877f7swllv.fsf@gnu.org> <87pojkitaf.fsf@gmail.com> <87eg00k372.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51625) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cTxaq-0002YP-JW for guix-devel@gnu.org; Wed, 18 Jan 2017 16:16:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cTxan-0005eP-BL for guix-devel@gnu.org; Wed, 18 Jan 2017 16:16:32 -0500 In-Reply-To: <87eg00k372.fsf@gmail.com> (Chris Marusich's message of "Wed, 18 Jan 2017 03:38:57 -0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Chris Marusich Cc: guix-devel@gnu.org Chris Marusich skribis: > Chris Marusich writes: > >> ludo@gnu.org (Ludovic Court=C3=A8s) writes: >> >>> Chris Marusich skribis: >>> >>>> Is anyone actively working on documenting the new encrypted root stuff? >>>> If not, I'm happy to try my hand at it. I'm interested in trying to s= et >>>> it up on my laptop, anyway. >>> >>> I=E2=80=99ve added documentation in 2b5fea5ba3b07999cf198e1132ffcacbfcb= 7ed72. >>> >>> Please send a patch if you think of improvements that can be made. >> >> I'm happy to report that I was successful in setting up an encrypted >> root file system on my Libreboot laptop. I have to enter the passphrase >> twice, but that's no different from the normal case (without Libreboot). >> It took me multiple days to get it working, though, because each time I >> tried to run "guix system init", it took over 8 hours to finish! >> >> This is really good! Thank you for adding this feature. > > As a bonus, I realized that one could use this feature to encrypt swap, > also. You can encrypt your swap area by using a swap file in the root > file system. Specifically, if you do something like this... > > # Make the file readable/writable only by root. > sudo dd if=3D/dev/zero of=3D/swapfile bs=3D1MiB count=3D10240 > sudo chmod 600 /swapfile > sudo mkswap --label swap /swapfile > > and then you add a single line to your operating system configuration > file like this... > > (swap-devices '("/swapfile")) You may even be able to use /dev/mapper/something-encrypted here, albeit with an additional passphrase prompt. Ludo=E2=80=99.