[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook

[david larsson <david.larsson@selfhosted.xyz>]

On 2021-08-12 10:04, Ludovic Courtès wrote:
> Hello!
> 
> jbranso@dismail.de skribis:
> 
>> August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:
> 
> [...]
> 
>>> My main question would be: what do you think is not covered in the
>>> “Manual Installation” section?
>>> 
>>> That section covers full disk encryption and other things you 
>>> propose,
>>> such as partitioning, downloading the ISO, authenticating it, 
>>> changing
>>> the keyboard layout, etc.
>> 
>> I think that libreboot does not currently support the latest version 
>> of
>> encryption...or only supports LVM v1....something like that.  Perhaps 
>> those
>> "libreboot specific encryption commands" need not be in the official 
>> manual?
> 
> Oh, right.  Perhaps there could be a subsubsection next to “Disk
> Partitioning” & co. specifically about LibreBoot support?  Would that
> make sense?
> 
>>> From a maintenance perspective, it does not seem reasonable to 
>>> maintain
>>> to similar pieces of documentation on these matters. From a user
>>> perspective, it could be confusing or downright deceiving if one of
>>> these two documents is out of date or erroneous.
>> 
>> I'm game for that.  I personally find the "Manual Installation" 
>> section
>> slightly too terse...I've successfully installed guix encrypted 
>> before,
>> but I had to use the graphical installation.  I have a hard time
>> comprehending how to manually install an encrypted guix, but I also 
>> just
>> have a very hard time understanding new guix things too.  :)
> 
> If you could pinpoint specific things that are missing or too vague in
> that section, that’d be great.
> 
> Of course we don’t want to explain too much in there because that’d be
> too much work, so this section assumes familiarity with GNU/Linux; and
> overall, we want to encourage users, both newbies and seasoned 
> GNU/Linux
> users, to use the installer, because it’s so much more convenient.
> 
>> Perhaps, if the manual does not have it, we could provide an example
>> config of an encrypted /home ?  I feel like the majority of guix users
>> do not use libreboot, so a encrypted / is not an option for most of 
>> them.
> 
> Why is it not an option?  I use encrypted root without Libreboot and 
> the
> installer offers that option.

Hi!

Im happy to see this added to the cookbook.

Just to clarify: with libreboot you can have the *entire* root partition 
encrypted without a separate boot partition (with /boot mounted under 
the encrypted root) - i.e. an actually fully encrypted disk (save the 
luks headers). So this is why you need to carefully setup the grub.cfg 
that's in libreboot's ROM (assuming you use Grub as payload) to use 
something like: cryptomount -a ; configfile 
(crypto0)/boot/grub/grub.cfg, so that you point to Guix's continuously 
updated version of grub.cfg inside the encrypted partition.

If you want to have /boot on an encrypted partition without using 
libreboot, you need to pack crypttools or whatever (cryptomount command) 
to initrd which is generated with guile code. Guix currently don't 
offering such options to my knowledge.

Related note: there has also been discussions in Grub dev mailing lists 
about adding the option to specify luks headers in grub.cfg which would 
allow for actual full disk encryption of internal drives 
(indistinguishable from random wiped disk), and then you could probably 
accomplish this by mounting /boot in your config.scm from external usb. 
This would also be a nice thing to add to the cookbook IMO (when that 
feature is available in Grub).