Detached LUKS header

Detached LUKS header

[elaexuotee]

Installing GuixSD for the first time. On a ThinkPad T400s, to boot!

Anyway, is there a straightforward way to configure a mapping device for LUKS
with a detached header? Otherwise, what's the best way to go about passing
command line options to the initrd cryptsetup call?

For a little context, I like my drive to look just like random data to a third
party; however, the precence of a LUKS header pretty much defeats plausible
deniability of hosting encrypted data. Thus, detached headers.

To that end, with my current non-guix setup, I have /boot and grub sitting on
an external drive, with dracut shoving the LUKS header in the initrd. Then
crypttab references said header, so the initrd cryptsetup call Just Works TM.

If there is a better way to go about setting up a "random noise" drive, I
certainly am open to hearing suggestions! At the end of the day, I am just
looking for a way to have such a drive under GuixSD.

I haven't found anything in the manual, but if I am just missing something
obvious, then forgive the spam.

Cheers!

Re: Detached LUKS header

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 2049 bytes --]

elaexuotee@wilsonb.com writes:

> Anyway, is there a straightforward way to configure a mapping device for LUKS
> with a detached header? Otherwise, what's the best way to go about passing
> command line options to the initrd cryptsetup call?
>
> For a little context, I like my drive to look just like random data to a third
> party; however, the precence of a LUKS header pretty much defeats plausible
> deniability of hosting encrypted data. Thus, detached headers.
>
> To that end, with my current non-guix setup, I have /boot and grub sitting on
> an external drive, with dracut shoving the LUKS header in the initrd. Then
> crypttab references said header, so the initrd cryptsetup call Just Works TM.

I'm not sure.  On your non-Guix setup, the crypttab exists in the
initrd, right?  And that initrd exists in the /boot directory on the
external drive, right?

Have you looked into how you can customize the initrd in Guix?  It's
described in the "Initial RAM Disk" section of the manual:

https://guix.gnu.org/manual/en/html_node/Initial-RAM-Disk.html#Initial-RAM-Disk

If I understand your non-Guix configuration right, it sounds like you
put the initrd on the external drive.  Guix normally installs the initrd
into the store, and then adds to the Grub configuration file a reference
to the initrd in the store, like this:

menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" {
  search --label --set root
  linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage --root=root --system=/var/guix/profiles/system-1-link --load=/var/guix/profiles/system-1-link/boot quiet
  initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz
}

So, it might be a little tricky to convince Guix to do the right thing
for your use case.  Also, I think Grub has the ability to read LUKS
volumes, but I'm not sure how to configure it.

If you figure out a configuration that works, please do share it!
Hopefully something in my email is helpful to you.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Detached LUKS header

[elaexuotee]

[-- Attachment #1: Type: text/plain, Size: 2783 bytes --]

Chris Marusich <cmmarusich@gmail.com> wrote:

> I'm not sure.  On your non-Guix setup, the crypttab exists in the
> initrd, right?  And that initrd exists in the /boot directory on the
> external drive, right?

Yes. Specifically, I am using dracut to generate the initrd and I believe it is
the crypt module that copies crypttab into the cpio. Similary, dracut.conf
ensures the initrd also contains the luks header file.

> Have you looked into how you can customize the initrd in Guix?

Beautiful. That URL you shared gives me a good starting place. Thank you.

> If you figure out a configuration that works, please do share it!

I sure will! Thank you for taking the time to share your thoughts.

> elaexuotee@wilsonb.com writes:
>
> > Anyway, is there a straightforward way to configure a mapping device for LUKS
> > with a detached header? Otherwise, what's the best way to go about passing
> > command line options to the initrd cryptsetup call?
> >
> > For a little context, I like my drive to look just like random data to a third
> > party; however, the precence of a LUKS header pretty much defeats plausible
> > deniability of hosting encrypted data. Thus, detached headers.
> >
> > To that end, with my current non-guix setup, I have /boot and grub sitting on
> > an external drive, with dracut shoving the LUKS header in the initrd. Then
> > crypttab references said header, so the initrd cryptsetup call Just Works TM.
>
> I'm not sure.  On your non-Guix setup, the crypttab exists in the
> initrd, right?  And that initrd exists in the /boot directory on the
> external drive, right?
>
> Have you looked into how you can customize the initrd in Guix?  It's
> described in the "Initial RAM Disk" section of the manual:
>
> https://guix.gnu.org/manual/en/html_node/Initial-RAM-Disk.html#Initial-RAM-Disk
>
> If I understand your non-Guix configuration right, it sounds like you
> put the initrd on the external drive.  Guix normally installs the initrd
> into the store, and then adds to the Grub configuration file a reference
> to the initrd in the store, like this:
>
> menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" {
>   search --label --set root
>   linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage --root=root --system=/var/guix/profiles/system-1-link --load=/var/guix/profiles/system-1-link/boot quiet
>   initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz
> }
>
> So, it might be a little tricky to convince Guix to do the right thing
> for your use case.  Also, I think Grub has the ability to read LUKS
> volumes, but I'm not sure how to configure it.
>
> If you figure out a configuration that works, please do share it!
> Hopefully something in my email is helpful to you.
>
> -- 
> Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-encrypted, Size: 248 bytes --]

Re: Detached LUKS header

[elaexuotee]

[-- Attachment #1: Type: text/plain, Size: 2134 bytes --]

Nerd away!

It is indeed a nifty setup. Unfortunately, I can't point you at a manual, as
it's a self-baked solution. I actually ended up patching dracut to get the
whole thing working. Happily, upstream merged the patch, so in principle anyone
should be able to recreate my current setup. Unfortunately, however, I believe
the only documentation is the code itself, as is common with dracut.

Anyway, just in case you are insterested, here is an overview of the salient
moving pieces in my current setup:

0) Create LUKS volume with detached header;

This is easiest when setting up a new volume; just read about the --header
option in the cryptsetup(8) manpage. You can actually convert a traditional
LUKS volume to a headerless one by copying the header to a file and then
erasing the 512 bytes at the offset on your drive where it resides, using dd or
whatever.

1) Install GRUB on your USB;

This is probably self-explanatory.

2) Make sure your grub.cfg and every path it references is on said USB;

In my particular setup, just keeping /boot on the drive is enough.

3) Setup your initrd.

This is the trickiest part. There are two parts:

  a) Get your LUKS header (and key) file into the initrd; and
  b) Configure cryptsetup in initrd to use the detached header (and key.

My current distro (Void Linux) uses dracut, so the above boil down to editing
/etc/dracut.conf for a) and /etc/crypttab for b).

That said, in retrospect, I believe a better way might be to use GRUB's native
ability to decrypt LUKS volumes. This would let us keep /boot in the encrypted
drive, so the USB only contains GRUB, grub.cfg, the LUKS headers, and possibly
a LUKS key.

Anyway, if any of the above was unclear, certainly don't hesitate to ask.

Cheers!

Joshua Branson <jbranso@dismail.de> wrote:

>
> I hope you don't mind my nerdy awe, but dang bro!  That sounds like an
> awesome setup!  What manual did you follow on your other distro to set
> up your computer like this?  I've never thought about having my grub and
> /boot on an external usb or drive...but that is pretty interesting!
>
> -- 
> Joshua Branson
> Sent from Emacs and Gnus

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-encrypted, Size: 248 bytes --]