From mboxrd@z Thu Jan 1 00:00:00 1970 From: Danny Milosavljevic Subject: GuixSD encrypted root? Date: Mon, 18 Apr 2016 23:05:58 +0200 Message-ID: <20160418230558.11a1c86f@scratchpost.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39955) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asGMw-0002Ww-HJ for guix-devel@gnu.org; Mon, 18 Apr 2016 17:06:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1asGMt-0004wQ-CI for guix-devel@gnu.org; Mon, 18 Apr 2016 17:06:06 -0400 Received: from dd1012.kasserver.com ([85.13.128.8]:41795) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asGMt-0004ro-6a for guix-devel@gnu.org; Mon, 18 Apr 2016 17:06:03 -0400 Received: from localhost (91.141.3.196.wireless.dyn.drei.com [91.141.3.196]) by dd1012.kasserver.com (Postfix) with ESMTPSA id 564161CA0080 for ; Mon, 18 Apr 2016 23:06:00 +0200 (CEST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hi, with the latest luks-related commits in guix I figured it's time to try disk encryption again (after updating guix from git). I added a mapped-devices section to my config and then did guix reconfigure ... which made it hang at making '/gnu/store/5df8pzbsbk2pn2s99hj8r6kb45smy3dv-system' the current system... The problem is reproducible every time. If I use cryptsetup manually it works (I created a btrfs filesystem on it and mounted it - worked fine). I tried to patch gnu/system/mapped-devices.scm to pass additional arguments but that didn't do anything either (I can see guix's cryptsetup running when I do "ps -ef", and it didn't receive the new arguments). And I have a conceptual question: there are many different ways for cryptsetup to get the key and/or passphrase. How do I configure this? What does it do when I said nothing of the key location or type or passphrase input method? Also, I think the best way to have encrypted home is to have the login manager / pam module unlock your personal encrypted home since these have your password in transit and it doesn't need to be stored anywhere on disk - also it will only be asked once the user actually tries to log in. (Ubuntu also does it like that and it seems to work fine for them) The global mapped-devices config is useful for whole-disk encryption - where the boot process then has to ask for the passphrase on the console early every time you boot or communicate with some security dongle or the BIOS or whatever - from the initrd. I know that Jookia et al did a lot of work on this already - but what's the status of full disk encryption (on libreboot)?