From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ellen Papsch <ellen.papsch@wine-logistix.de>
Subject: Re: Unencrypted boot with encrypted root
Date: Tue, 07 Apr 2020 13:34:24 +0200
Message-ID: <f076f4b7798567c4215bd13b4074155df89dadbc.camel@wine-logistix.de>
References: <87ftdmi7pp.fsf@ambrevar.xyz>
 <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
 <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain>
 <a96461003ce1ff51cf8a39cdb56a8685c2e2a8dd.camel@wine-logistix.de>
 <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain>
 <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de>
 <87d08jbpcc.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:53026)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jLmUz-0006tQ-Hr
 for guix-devel@gnu.org; Tue, 07 Apr 2020 07:34:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ellen.papsch@wine-logistix.de>) id 1jLmUv-0007NK-Q5
 for guix-devel@gnu.org; Tue, 07 Apr 2020 07:34:31 -0400
In-Reply-To: <87d08jbpcc.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

Hi,

Am Dienstag, den 07.04.2020, 11:46 +0200 schrieb Ludovic Courtès:
> Hi,
> 
> Ellen Papsch <ellen.papsch@wine-logistix.de> skribis:
> 
> > Am Samstag, den 04.04.2020, 12:18 +0200 schrieb pelzflorian
> > (Florian
> > Pelz):
> > > Could key files help in passing the passphrase on to the
> > > Linux kernel?  The Arch Wiki says this: [...]
> > > 
> > 
> > If the installer would support an external medium for the file,
> > that would be best (IMHO).
> 
> The difficulty is that any file traveling through the store is
> world-readable.  It’s hard to avoid.
> 

Does it have to go through the store? I imagine key generation would be
done by the installer, not guix system init. That would be much in the
same way that the installer creates partitions, while system init (or
reconfigure) doesn't touch partitions, only uses existing references.
In that sense, the installer would create the file from /dev/random or
urandom and place the reference in operating-system.

It would also allow manual installations to retain flexibility
configuring encryption.

Best regards