From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: I installed GuixSD on my laptop
Date: Mon, 05 Jun 2017 21:48:10 +0200
Message-ID: <87o9u2cj2d.fsf@gnu.org>
References: <86942c60-38fb-7cd4-7162-72705c50c15a@cock.li>
	<alpine.LNX.2.20.1706040200470.8587@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46630)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1dHxz8-0002RL-9G
	for help-guix@gnu.org; Mon, 05 Jun 2017 15:48:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1dHxz5-00085c-1s
	for help-guix@gnu.org; Mon, 05 Jun 2017 15:48:18 -0400
In-Reply-To: <alpine.LNX.2.20.1706040200470.8587@localhost>
	(someone@selfhosted.xyz's message of "Sun, 4 Jun 2017 02:32:39 +0200
	(CEST)")
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: someone@selfhosted.xyz
Cc: help-guix@gnu.org

Hi,

someone@selfhosted.xyz skribis:

> Someone might have better suggestions but until then here's my
> thoughts on it:
>
> There's some step-by-step instructions for setting up a grub-password
> and then setting a path to a luks keyfile in grub on a system using
> Libreboot and Parabola here:
> https://wiki.selfhosted.xyz/doku.php?id=3Dit:computer_setup:encrypted_par=
abola_installation_guide#boot_configuration
>
> This could possibly be adapted to GuixSD. In short the steps involved
> (without setting up grub's password authentication) are:
>
> -generate key and add to your luksdrive
>   dd bs=3D512 count=3D4 if=3D/dev/urandom of=3D/etc/my_cryptkey iflag=3Df=
ullblock
>   cryptsetup luksAddKey /dev/sda1 /etc/my_cryptkey
> -Regenerate initramfs (using the mkinitcpio bash-script)
>   zile /etc/mkinitcpio.conf
>   FILES=3D"/etc/my_cryptkey"
>   mkinitcpio -p linux-libre (or linux-libre-lts or linux-libre-grsec or a=
ll of them)
> -Then add a configuration line to your grub config's default
> menu-entry on the linux-line:
>   linux /boot .... cryptkey=3Drootfs:/etc/my_cryptkey
>
> For details on setting up the password etc see the link above.

Adding the cryptsetup passphrase in a file in the initrd is doable (with
the initrd living on the encrypted file system).  Sounds like a good
idea that we could implement in GuixSD (although care must be taken not
to store the passphrase file in the store.)

Thanks,
Ludo=E2=80=99.