From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ellen Papsch <ellen.papsch@wine-logistix.de>
Subject: Re: Unencrypted boot with encrypted root
Date: Wed, 08 Apr 2020 14:37:39 +0200
Message-ID: <94dc6c0586bea6772a345b4d5f10138a576f541f.camel@wine-logistix.de>
References: <87ftdmi7pp.fsf@ambrevar.xyz>
 <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
 <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain>
 <a96461003ce1ff51cf8a39cdb56a8685c2e2a8dd.camel@wine-logistix.de>
 <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain>
 <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de>
 <87d08jbpcc.fsf@gnu.org>
 <f076f4b7798567c4215bd13b4074155df89dadbc.camel@wine-logistix.de>
 <87369f82x7.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:37194)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jM9xf-0007Uw-Jf
 for guix-devel@gnu.org; Wed, 08 Apr 2020 08:37:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jM9xd-0008C0-HU
 for guix-devel@gnu.org; Wed, 08 Apr 2020 08:37:42 -0400
In-Reply-To: <87369f82x7.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Am Dienstag, den 07.04.2020, 22:19 +0200 schrieb Ludovic Courtès:
> Ellen Papsch <ellen.papsch@wine-logistix.de> skribis:
> 
> 
> Sure, but what happens when you reconfigure?  You still need to have
> that file around so it can be added to the initrd.
> 

Does it really have to be added to initrd? From my other reply:

> These may be dangerous waters. The key file in initrd is like a house
> key under the mattress. A malicious process could look in the well
> defined place and exfiltrate the key. Think state trojan horses. A
> random name would not suffice, because other characteristics may help
> identifying the file (i.e. size).

> I think* Guix would burden itself too much with secrets. It's
> something for the user and the installer should just make it more
> convenient, with a nudge to a more secure setup. The key file should
> be stored in a user specified location, preferably a pen drive (which
> is otherwise not used). It can be removed, so no read can occur by
> arbitrary processes. A passphrase should be added as backup.
> 
> (*) as non-guru

reconfigure would not have to touch the file at all, if it were a user
supplied file name. I'm aware other files are often put in the store by
references in operating-system (or inlined). The secrets file on the
other hand should just be assumed to be there. Initrd should try to
mount the drive.

Best regards