From: Vagrant Cascadian <vagrant@debian.org>
To: Thomas Albers <tgalbers2000@gmail.com>,
Tobias Geerinckx-Rice <me@tobias.gr>
Cc: help-guix@gnu.org
Subject: Re: Typing LUKS passphrase only once and a possible solution
Date: Thu, 08 Jul 2021 10:29:29 -0700 [thread overview]
Message-ID: <87lf6gww7a.fsf@yucca> (raw)
In-Reply-To: <87eecagepa.fsf@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1575 bytes --]
On 2021-07-07, Thomas Albers wrote:
> But you are right, there doesn't seem to be
> much point in hiding the key-file. If someone has a program capable of
> reading the file and getting it out of your computer, then there is
> nothing stopping this person from accesing all of your files regardless
> of encryption.
Depends on if you're on a multi-user system where only some people have
root access or a single-user system where the only user has root access.
If the key is stored in /gnu/store, it's world-readable, whereas with
traditional unix permissions or other access controls you can at least
make the initrd and key-file read-only.
I envision a workflow where you generate the initrd in the store
(world-readable) without the key-file, and then concatenate the initrd
and a cpio archive containing the key-file to a root-only-readable file
that grub is configured to load as the initrd. (or maybe grub can load
two cpio archives and concatenate them together?)
This would allow everything except the key-file to be world-readable,
while still keeping (within the constraints of unix file permissions and
or some other access control) the key-file private.
This presumes that you still enter the passphrase manually for grub or
some other bootloader to be able to load the "private" initrd+key-file
from an encrypted partition. It does solve the problem of entering the
passphrase twice.
Another option would be to keep the keyfile on removable media, and have
the initrd read the keyfile from that...
live well,
vagrant
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
next prev parent reply other threads:[~2021-07-08 17:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 16:05 Typing LUKS passphrase only once and a possible solution Thomas Albers
2021-07-07 16:42 ` Tobias Geerinckx-Rice
2021-07-07 18:29 ` Thomas Albers
2021-07-08 17:29 ` Vagrant Cascadian [this message]
2021-07-07 18:12 ` Joshua Branson
2021-07-07 18:30 ` Wiktor Żelazny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lf6gww7a.fsf@yucca \
--to=vagrant@debian.org \
--cc=help-guix@gnu.org \
--cc=me@tobias.gr \
--cc=tgalbers2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).