On 2021-07-07, Thomas Albers wrote:
> But you are right, there doesn't seem to be
> much point in hiding the key-file. If someone has a program capable of
> reading the file and getting it out of your computer, then there is
> nothing stopping this person from accesing all of your files regardless
> of encryption.

Depends on if you're on a multi-user system where only some people have
root access or a single-user system where the only user has root access.

If the key is stored in /gnu/store, it's world-readable, whereas with
traditional unix permissions or other access controls you can at least
make the initrd and key-file read-only.

I envision a workflow where you generate the initrd in the store
(world-readable) without the key-file, and then concatenate the initrd
and a cpio archive containing the key-file to a root-only-readable file
that grub is configured to load as the initrd. (or maybe grub can load
two cpio archives and concatenate them together?)

This would allow everything except the key-file to be world-readable,
while still keeping (within the constraints of unix file permissions and
or some other access control) the key-file private.

This presumes that you still enter the passphrase manually for grub or
some other bootloader to be able to load the "private" initrd+key-file
from an encrypted partition. It does solve the problem of entering the
passphrase twice.

Another option would be to keep the keyfile on removable media, and have
the initrd read the keyfile from that...


live well,
  vagrant