From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mG0FHcCQzWFdQQAAgWs5BA (envelope-from ) for ; Thu, 30 Dec 2021 11:58:08 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id oJaMGcCQzWEUEAEAauVa8A (envelope-from ) for ; Thu, 30 Dec 2021 11:58:08 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0D9842CEE1 for ; Thu, 30 Dec 2021 11:58:08 +0100 (CET) Received: from localhost ([::1]:51982 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n2t8I-00065p-SZ for larch@yhetil.org; Thu, 30 Dec 2021 05:58:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34030) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n2t8E-00065T-Oh for guix-patches@gnu.org; Thu, 30 Dec 2021 05:58:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:39970) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n2t8E-00017I-FZ for guix-patches@gnu.org; Thu, 30 Dec 2021 05:58:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1n2t8E-0002QJ-Gi for guix-patches@gnu.org; Thu, 30 Dec 2021 05:58:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 30 Dec 2021 10:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52882 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: chayleaf , 52882@debbugs.gnu.org Cc: chayleaf , chayleaf Received: via spool by 52882-submit@debbugs.gnu.org id=B52882.16408618469260 (code B ref 52882); Thu, 30 Dec 2021 10:58:02 +0000 Received: (at 52882) by debbugs.gnu.org; 30 Dec 2021 10:57:26 +0000 Received: from localhost ([127.0.0.1]:51516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n2t7d-0002PI-TB for submit@debbugs.gnu.org; Thu, 30 Dec 2021 05:57:26 -0500 Received: from jpoiret.xyz ([206.189.101.64]:43738) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n2t7b-0002P8-Dr for 52882@debbugs.gnu.org; Thu, 30 Dec 2021 05:57:24 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id B19F0184F5B; Thu, 30 Dec 2021 10:57:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1640861841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jl8xUa4+/VCO7FmgzRpZ6lun/ktVHskuDvwjfQM8ZaE=; b=RQgwasDGYdDrg66BIYKCi7xeQC+ULig9NilOUP208pM4fDp6n3BERc3cWuZBFT1FAOOQQW mFQNkX7jCXofFypxL3gajNje8K+XQ0KD9f6IsXOKe9BZ/7jQVkVf9yTPjpZIXs4JkYzfmQ 85foFHGheKrhdhRcwMecz3LDlMJVYz/wCzljJUFFSRuzDT1dekJ9lZ4VV79kN+83Jkyhxo 3LcNdVEdKYmUgsl7VlmYdrwILT+ZJu/kZer5n0IkFQgBzxg+6e/h+l1D8wyeahMZpe07zZ kIIeTjMPmMIe5QuiXNxefXa3binp2DvSvwMrURh/5K3+qVo0lEt9/maYdPwAAQ== In-Reply-To: <20211229215713.1671606-1-chayleaf@pavluk.org> References: <20211229215713.1671606-1-chayleaf@pavluk.org> Date: Thu, 30 Dec 2021 11:57:19 +0100 Message-ID: <87ilv6fjhs.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Josselin Poiret X-ACL-Warn: , Josselin Poiret via Guix-patches From: Josselin Poiret via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1640861888; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=jl8xUa4+/VCO7FmgzRpZ6lun/ktVHskuDvwjfQM8ZaE=; b=Dmc2GE5pBeC8WI/8e61FcIdQIBuZdw43xPCQ+kArG0wgNjc5Syw+EulxSZ0Bw1UOtx5lD4 ha8W+yZD7xADSVuE1IG+83F3f4FH2PUiVaSPa4ewd3tlR03YOA/6AmGFK5wQ6yxYnr545D bjxZgDxGQBMe4SJKttMBxf/R5XHL+Z28wpINoLrRYgIwKwO7pkp1XKKpjAb3NZeUdLBkmA vJ0eiJhO2T1PmOWVKio1tk8a3pko3v9kjyZQU9+yC7H1GrCbf1BfXA0MtiJ7okUfAOt6yg rXaskd2RPWQU+OY/pByh9M4qv43fgaytmkFzSBIVsPnvAuR0ZjnBvz8JqInFTA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1640861888; a=rsa-sha256; cv=none; b=cRn2nt8o9jZSw61j1vmTFoj/1iGY3ly5kVjQv5lFI2810fqH3YbzbUz+vNQVO37jy/LJp6 S8AQ9BmtqWsDB0SNrCm5Kg1E/gPsU1qOnh514D5yl0C31SxFH33uDOQOK62g+vR+rH5xZS s44kutIKBP++jHczZID1U8Gd6BBVcaHNmMmECUWtWLikuCyMe9DQCl3bBpmgpLnvJDKdWH miLqpP0rHGpLpZwcidLX2MlQ4DlYMKAIYUxh4WyTCuFxayjCBNZhI9lA1faa0zuzxUUtmg kmuYoyazfl+XPvobZTHZKAZ2iKEE1YyYLvm2P1ohX2ESe3NPkd5l+ewi2nLfEQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=RQgwasDG; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.37 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=RQgwasDG; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0D9842CEE1 X-Spam-Score: -4.37 X-Migadu-Scanner: scn0.migadu.com X-TUID: vT7KB14W4+Ui Hello, chayleaf writes: > From: chayleaf > > This is a patch that adds a new field for mapped-filesystem that allows > one to specify the LUKS encryption key via G-Expressions. > An example use case is using a key stored on an external device. This is a feature that many people have on their wishlist, and it looks like your code would do precisely that, however I have to admit that I am against adding this code into master for security reasons. The open-luks-device gexp, along with the whole passphrase [1], end up in the boot script in the store, and the guix store is r-xr-xr-x, meaning that any program on your computer is able to read it. This is a pretty significant security risk that can reduce the benefits of full-disk encryption to nothing, so having it easily available to users would work against them. Feel free to use this patch on your local installation though, if you understand the security risks :) On other distros, you can simply have keyfiles and initrds root-owned and r--------, and I think you could do something similar here, but you'd have to keep them out of the store and load them separately. This could be a solution, but I don't know off the top of my head how one could implement it. [1] the actual encryption key is stored encrypted inside the LUKS header, which is unlocked with a passphrase, roughly. -- Josselin Poiret