From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id UOyiEeO5QGShhAAASxT56A (envelope-from ) for ; Thu, 20 Apr 2023 06:04:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id SDPOEOO5QGTwCQEAG6o9tA (envelope-from ) for ; Thu, 20 Apr 2023 06:04:51 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 14F302DBA3 for ; Thu, 20 Apr 2023 06:04:51 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ppLWv-0006ta-CV; Thu, 20 Apr 2023 00:04:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppLWo-0006sz-6S; Thu, 20 Apr 2023 00:04:14 -0400 Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppLWl-0005n5-RW; Thu, 20 Apr 2023 00:04:13 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 4E0151AB7E; Wed, 19 Apr 2023 21:04:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1681963440; bh=muRQs+6zQ4Mv6JHrLRsZK8zHiGIHKnlwZbTve3JbrKs=; h=From:To:Subject:In-Reply-To:References:Date:From; b=R4JAKCg4+nXRefV/DHesHY5GWWjPfFEX9pDwP/AWFpOoYSTjA6NTaXXUX6b9CaxuX uajmoUzP0QigDpUBAEIVChRDiR+SFZwExRk6ViV+wPtTUY/wfoHg0fhyvMTu8hYUVl jxvfTeo+7e2kat13YuC+VoxHdggbgL4oDFf+dzpHGAE3pXxWU7wVN8YfU7rFE0vBzB ehGZZSLe43ke+e02EDUR8rC7UqLjDl8IGYZ1CPGrcYX2j43oH5N9UggLmkrVvy8gg6 0WkmyeszWxKsnmbEDsFGWdw8NYkBsAQcLQBaqoQue6jLo/M0qg7W4hByw8YtNLbjql /GNVYf2EGrODA== From: Vagrant Cascadian To: Felix Lechner , Guix Devel , help-guix Subject: Re: PSA for LUKS users In-Reply-To: References: Date: Wed, 19 Apr 2023 21:03:54 -0700 Message-ID: <87edoftd1x.fsf@wireframe> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=2600:3c01:e000:267:0:a171:de7:c; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=R4JAKCg4; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681963491; a=rsa-sha256; cv=none; b=TuO6PDDgjJuNoRfj9Zwy/XCF3WSxDQimjo+vMHnwk0L3Zm8tFr+24YZHTFPU6idRS4YBRL JiaXGsP1Uf93mjxL78DBgQ/j59I2t42+qKiMEVW4J3qRyqN5avifD0bLI8U7uLEsuIUL0P dsdgdZS/oZ3QN1a4xD2sQuWRo92731GOlU6rjW1QSwVhQ8/xW5TIyeTA9//gUp8pxY6VWh utAEk0uJxx7kgT7t/6V3CmoCbMkOSjpOIGLjCmhAdVVM1mTaPYk70T/7pImTDK67O0lYgg fsLfkjyFHEvO7yKl93QTL3w7U5A4XTCXCME6ql2myeX1VSqLkvSPyzUKVhGoJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681963491; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=M80peF9HKQoe3XliVLF3sF8ufW1DtB9T9JMhgrmja34=; b=AVnl5jOtjkB3kaK2PngG8S2iGFCKtbmNLn+APC3PfO6WTNzdvOw0U/XR6WUltl88HlkN+Y 7Uj1GhjRwaZn20YjsKR56Mw8TBrGQz6F0SBEa7Vvb0unQQ1FBzYeLrMp8LprwxxapS8qww /rHFerlManeIGu7kwoqWpWXuae4msVKWwyT3BNxoWxNG7ezdV0H6A2nOBgb2R0SqqGErPi iGrIJE/Lh/X/A+YU6sGdfunX+MsYzbij3j0VXYWwFQOcKW5jNDO5Rp9BDbzi2TiMpxwqpr 7FE045UR+rsCd6fInYMmBEAupNZYIBmRLugmiLrIoEeWjYc0+6luHxhx4F9Qag== X-Migadu-Spam-Score: -12.95 X-Spam-Score: -12.95 X-Migadu-Queue-Id: 14F302DBA3 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=R4JAKCg4; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none X-TUID: HEJw1NF6c4G+ --=-=-= Content-Type: text/plain On 2023-04-19, Felix Lechner via wrote: > Given the broad popularity of LUKS full-disk encryption among our > fellow Guix users, I thought the community might appreciate reading > about potentially weak key-derivation functions in older LUKS > installations. [1] > > The article even offers fixes, although I cannot say whether your > system will boot after you follow the steps since I do not use LUKS > personally. Stay safe! ... > [1] https://mjg59.dreamwidth.org/66429.html In short, those instructions will almost certainly break Guix System! While recent grub2 finally has limited support for luks2, it only supports the weaker KDF (key derivation function) (PBKDF2?), as I understand it, though would be happy to be proven wrong! Because Guix System does not yet support a separate /boot partition, this means if you want "full-disk encryption" you are limited to weak KDF for the whole filesystem, instead of just a weak /boot partition (e.g. either luks1, luks2 with weaker pbkdf2, or entirely unencrypted). There is a bug about being able to use a split /boot partition: https://issues.guix.gnu.org/48172 Alternately, you could probably get a weaker encrypted rootfs (using luks1 or luks2+PBKDF) and still have a state-of-the-art luks2+argon2id partition for /home. Maybe if you were adventurous /var/guix, which might allow detecting a compromise with "guix gc" which contains the checksums of files in /gnu/store? With both the split /boot approach or the weaker rootfs with stronger /home partition, there is some risk of a (admittedly very sophisticated and still probably quite expensive) evil maid attack. https://en.wikipedia.org/wiki/Evil_maid_attack Well... fun times, folks! live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZEC5qwAKCRDcUY/If5cW qv8uAQCc/AdDxNNwz8h91bwlV7akOZS3deNM6D7rp2Gk2oO1DwEApYQgNgd2s1VY GLcdDwbLwaal9Jaioz54H7ZagvITqA0= =6Mrh -----END PGP SIGNATURE----- --=-=-=--