From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ellen Papsch Subject: Re: Unencrypted boot with encrypted root Date: Mon, 06 Apr 2020 14:00:04 +0200 Message-ID: <4610a9147fa041ebb47f184a2d3f7878a8a2539c.camel@wine-logistix.de> References: <87ftdmi7pp.fsf@ambrevar.xyz> <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> <20200403194423.m3pvz654qslug7g3@pelzflorian.localdomain> <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:37584) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jLQQG-0001Be-I8 for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jLQQE-0001rH-Fz for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:11 -0400 Received: from dedi718.your-server.de ([78.46.1.118]:59828) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jLQQE-0001n8-5u for guix-devel@gnu.org; Mon, 06 Apr 2020 08:00:10 -0400 In-Reply-To: <20200404101832.cmegsybfyrseazjq@pelzflorian.localdomain> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: "pelzflorian (Florian Pelz)" Cc: guix-devel@gnu.org Am Samstag, den 04.04.2020, 12:18 +0200 schrieb pelzflorian (Florian Pelz): > Could key files help in passing the passphrase on to the > Linux kernel? The Arch Wiki says this: [...] > The key file would be another means of decrypting the master key, if I understand LUKS correctly. It would be independent of the passphrase. (In LUKS terminology, two slots are used). It would definitely help usability not having to enter a passphrase twice. The GUI/TUI installer should take care generating the file and ensuring strict permissions, so user processes cannot read it. There is still some risk, because root processes could read it. If the installer would support an external medium for the file, that would be best (IMHO). Best regards