From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eEEXIJk252B2/wAAgWs5BA (envelope-from ) for ; Thu, 08 Jul 2021 19:32:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eODWG5k252CHEQAAB5/wlQ (envelope-from ) for ; Thu, 08 Jul 2021 17:32:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E0F70F55C for ; Thu, 8 Jul 2021 19:32:08 +0200 (CEST) Received: from localhost ([::1]:47496 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1Xsd-0001mf-4v for larch@yhetil.org; Thu, 08 Jul 2021 13:32:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53608) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1XqN-0007hx-Ab for help-guix@gnu.org; Thu, 08 Jul 2021 13:29:47 -0400 Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c]:50580) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1XqL-0006hW-8S for help-guix@gnu.org; Thu, 08 Jul 2021 13:29:47 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 205E81A9FD; Thu, 8 Jul 2021 10:29:34 -0700 (PDT) From: Vagrant Cascadian To: Thomas Albers , Tobias Geerinckx-Rice Subject: Re: Typing LUKS passphrase only once and a possible solution In-Reply-To: <87eecagepa.fsf@gmail.com> References: <87k0m2gld3.fsf@gmail.com> <87zguygggj.fsf@nckx> <87eecagepa.fsf@gmail.com> Date: Thu, 08 Jul 2021 10:29:29 -0700 Message-ID: <87lf6gww7a.fsf@yucca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=2600:3c01:e000:267:0:a171:de7:c; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1625765529; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=Pclpgqgoif9kcUqGcCDDEomFA8ByVa91DzKMbVXUyq8=; b=J5neAHFvn734HUrchVcoZRxNdzCbMVrHo1qSdLJuUdmjHXDvv7X3JMnloEA9tUUq4qLyAh 0umTXDpgtE+HR0zYlC0W2k/KyCCuAENGiWIkuxog6darpB2lp6W3HzDLX+IpmasqChUOId psXR2tW4+P3KX0WBgUsqVHqbQFyVG1nQVYqcPz82E/ezEAvrYoBmuCQDTWTeSaWiuRIwQ2 7vstlD3+9nRc/iKTdcGfPSDeprB+pQFu/ozutRg+3Lpm9Sxch11wJukGEYVUGsNi+oyoP0 SVZrJQjpdu23tZvaRkGyAuAaLgLInc1d3Kl3gKvzlZ003So1Mg+H9D00CoAQMg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1625765529; a=rsa-sha256; cv=none; b=Wkto4ZzU7iTo9MwDpE0ATJlIF/a3KEpj0Qr0Ech13e6wv7dMNQH9GI174GANmJnaoavYAu 43sx15lXOaO2VqUxeCTbZVKynMsFs9MiQGLo6DlPlzCAQaMpzhdluQzGQjTWbtn0gYGZOY MBlUPgAIArGOSLZQlleqDtLS3Z6ZHaz0Jf+Osddg3yr9kCLhfbRpLs5tsoH18RwBUsHyiG 3k+BFK0MVYGDwiN/NuglxUxR9fCtSLdonXzJrjt2GcfqLh1jJIW9wJxImZyXUqHfzzqc29 phIZ/tgWBqlVIF2ivn8cuw4FjJE4syKEWOaeit1r6kncQJhvBO7yVfh8Q41cKA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.51 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: E0F70F55C X-Spam-Score: -1.51 X-Migadu-Scanner: scn0.migadu.com X-TUID: PURIQduD0rtm --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 2021-07-07, Thomas Albers wrote: > But you are right, there doesn't seem to be > much point in hiding the key-file. If someone has a program capable of > reading the file and getting it out of your computer, then there is > nothing stopping this person from accesing all of your files regardless > of encryption. Depends on if you're on a multi-user system where only some people have root access or a single-user system where the only user has root access. If the key is stored in /gnu/store, it's world-readable, whereas with traditional unix permissions or other access controls you can at least make the initrd and key-file read-only. I envision a workflow where you generate the initrd in the store (world-readable) without the key-file, and then concatenate the initrd and a cpio archive containing the key-file to a root-only-readable file that grub is configured to load as the initrd. (or maybe grub can load two cpio archives and concatenate them together?) This would allow everything except the key-file to be world-readable, while still keeping (within the constraints of unix file permissions and or some other access control) the key-file private. This presumes that you still enter the passphrase manually for grub or some other bootloader to be able to load the "private" initrd+key-file from an encrypted partition. It does solve the problem of entering the passphrase twice. Another option would be to keep the keyfile on removable media, and have the initrd read the keyfile from that... live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYOc1+gAKCRDcUY/If5cW qqkAAP9eGHBYTOvSx/Y8RoImQltQxG1+nd3PGPhJWZddk4N0zwEAlyI5polHiqY6 XTxgiCwZJu0A5ecnLlXmJ+rJSk8OfAI= =g2ne -----END PGP SIGNATURE----- --=-=-=--