From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:1008:1e59::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id yK7eHSTVnWVJCAEAkFu2QA (envelope-from ) for ; Wed, 10 Jan 2024 00:22:12 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id 8O4MGSTVnWX+4QAA62LTzQ (envelope-from ) for ; Wed, 10 Jan 2024 00:22:12 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=fLZ2lsvL; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1704842532; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=rsXcYmyvQumRSsuCQyqLIroJ5r1/3Skkmm8kLhmQh0k=; b=ZIMWKS1Ep4GZPYyh21v57KorJ20TuUkz5Lpwq+JCPB1pduanZQCrrzTIybpdJMic16B83q ZsvQ1FyOIQHSAfpXNVOHQ0w4T1wCJjOdL3zKNiUUXpjQxOQOxUU8K1sK0cLuSk/k60ZGtK sueMiFdaIWXujvxJq2yj+ILGnOXOf92rkZleLc/TSgfpvJZeXwO2uaIkzIrWMDvBYlkMfP kKUjrdWAlyZK7U/BynZftpOhIMz42PX0hhxWiDhMY8kcQX6E/FHcFyY5F7isP8yOjWgXp5 DWs3eirXdTzBH8moG2eFwdAb5CaPB/cOIXxHuFt+d40YuIngSsXIle1HT2ANQQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1704842532; a=rsa-sha256; cv=none; b=qSkDJVvAQ5aqXH7diFpsVaXqeNqc4P1LS5rUHZgENnW3JSFIA8/qUMfsX7DHTyn9zWMn88 H94kzlZUKSNrKMHnff99zX6xSYblhvSYnVB8RRFu4yTfyIIP/QY5EuM++N0CYNeuyrb0rC eg67HdtooV//pzTTu4Qr6vUmEAHskqR/XH5/AxhM6CBmTYdVFxTOlNflW333MqLBsAa7t5 FTzQoDOkY4QH2QZSP4vebT8MmJbm4a6wNkJQFv5CAIgs3a3qFmGogl5qK0Pi+Pmk2058p/ Xo3GA/qyWA0OJB9A0qwn7FT1Tm5RSsAZVd6SNEip9Qb4pQgTWIadXfli4qOZIQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=fLZ2lsvL; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 553076E0B1 for ; Wed, 10 Jan 2024 00:22:12 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNLQ1-0003qj-3n; Tue, 09 Jan 2024 18:22:01 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNLPv-0003os-Hf for guix-patches@gnu.org; Tue, 09 Jan 2024 18:21:56 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNLPv-0004iT-9U for guix-patches@gnu.org; Tue, 09 Jan 2024 18:21:55 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNLQ2-0000zf-3L for guix-patches@gnu.org; Tue, 09 Jan 2024 18:22:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 Jan 2024 23:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tomas Volf Cc: 65002@debbugs.gnu.org Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.17048425013792 (code B ref 65002); Tue, 09 Jan 2024 23:22:02 +0000 Received: (at 65002) by debbugs.gnu.org; 9 Jan 2024 23:21:41 +0000 Received: from localhost ([127.0.0.1]:41316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLPh-0000z6-9Q for submit@debbugs.gnu.org; Tue, 09 Jan 2024 18:21:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNLPf-0000ys-JQ for 65002@debbugs.gnu.org; Tue, 09 Jan 2024 18:21:40 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNLPR-0004S9-M6; Tue, 09 Jan 2024 18:21:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=rsXcYmyvQumRSsuCQyqLIroJ5r1/3Skkmm8kLhmQh0k=; b=fLZ2lsvLCBFLOAm48fHZ PUnYtfWGy/LoBWjIscj06LaoVBWUtEtL8yB3xO7Nfk1dyyTKKRqcyiopFZutDWSRRWZCbYkkqQCtq vgRB5uHAJG38AQt8w+xFwKfLPNG+YY1dD180J1huY8queowhy6VAjksltCnVzAGz1dmeSMRdspnKP /H5ORojcoEo4a6JfcSfdPosT/ys+xv0t2hTHR/5KQffDToa3Zwl1o2ImuYSDyz75AsnHPQo885n9A 5ny6f1/5A8hea6Lf6upuf8r2LGjaeoD7DeILE3RSAKPjqj00EP6Wb/xEMiOT4wV9l3qCsGWzV6Wrd aB+DubTJCM1z0Q==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> (Tomas Volf's message of "Wed, 2 Aug 2023 15:02:44 +0200") References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> Date: Wed, 10 Jan 2024 00:21:19 +0100 Message-ID: <87il42w0sw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 553076E0B1 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -5.51 X-Spam-Score: -5.51 X-TUID: p/rv4ug/UTNq Hello! I know, I know, it=E2=80=99s taken way too long=E2=80=A6 My apologies! Tomas Volf skribis: > Requiring the user to input their password in order to unlock a device is= not > always reasonable, so having an option to unlock the device using a key f= ile > is a nice quality of life change. Agreed; there=E2=80=99s interest for this feature, I=E2=80=99ve heard it qu= ite a few times. > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argume= nt > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New > procedure No need to repeat the file name here. Please also mention the doc/guix.texi changes. > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] > +Return a @code{luks-device-mapping} object, which defines LUKS block > +device encryption using the @command{cryptsetup} command from the > +package with the same name. It relies on the @code{dm-crypt} Linux > +kernel module. > + > +If @code{key-file} is provided, unlocking is first attempted using that > +key file. If it fails, password unlock is attempted as well. Key file > +is not stored in the store and needs to be available at the specified > +path at the time of the unlock attempt. s/specified path/given location/ Perhaps add a sentence or two saying that the advantage is that it allows you to avoid typing the passphrase, for instance by passing the key file on a USB key (would that work?), but that this may not be suitable for all use cases. I=E2=80=99d also add a short commented config example. I wonder if we could have a system test; it doesn=E2=80=99t sound very easy= so maybe we=E2=80=99ll skip, but you can check that the =E2=80=9Cencrypted-roo= t-os=E2=80=9D test, which exercises =E2=80=98luks-device-mapping=E2=80=99, still passes (it tak= es time and disk space). The rest LGTM! Ludo=E2=80=99.