From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ILN1AiDjFGGBVAAAgWs5BA (envelope-from ) for ; Thu, 12 Aug 2021 11:00:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uMmoOR/jFGFaOgAAbx9fmQ (envelope-from ) for ; Thu, 12 Aug 2021 09:00:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0507D1079C for ; Thu, 12 Aug 2021 11:00:13 +0200 (CEST) Received: from localhost ([::1]:57382 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mE6ZP-0004Ip-Ib for larch@yhetil.org; Thu, 12 Aug 2021 05:00:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39500) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mE6ZH-0004If-FS for guix-patches@gnu.org; Thu, 12 Aug 2021 05:00:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54239) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mE6ZH-0003bc-5g for guix-patches@gnu.org; Thu, 12 Aug 2021 05:00:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mE6ZH-0000ix-34 for guix-patches@gnu.org; Thu, 12 Aug 2021 05:00:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook Resent-From: david larsson Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 12 Aug 2021 09:00:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Guix-patches , 49654@debbugs.gnu.org, Sarah Morgensen , jbranso@dismail.de, rg@raghavgururajan.name Received: via spool by 49654-submit@debbugs.gnu.org id=B49654.16287587622707 (code B ref 49654); Thu, 12 Aug 2021 09:00:03 +0000 Received: (at 49654) by debbugs.gnu.org; 12 Aug 2021 08:59:22 +0000 Received: from localhost ([127.0.0.1]:37552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mE6Yc-0000ha-2a for submit@debbugs.gnu.org; Thu, 12 Aug 2021 04:59:22 -0400 Received: from server0.selfhosted.xyz ([217.64.149.7]:43984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mE6YZ-0000hM-RN for 49654@debbugs.gnu.org; Thu, 12 Aug 2021 04:59:20 -0400 Received: from server0.selfhosted.xyz (localhost [127.0.0.1]) by server0.selfhosted.xyz (Postfix) with ESMTP id 3A6DF2007B37; Thu, 12 Aug 2021 10:59:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1628758753; bh=PRwRJVa2FGxaD7eLUSvGzKSmA0z40StiYzvj6/vg3RU=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=Xil7n6mcQzyaAHYxvrQt+uiopt8o0vB9THEIbqHFMlyl2N0x0cyixpGCfhi/TLuZy Kxr8y4IJiSAfVV+DB83iodBKhI/ji7Zv6kn1o6G8r/u42jLzwgWi8r5oFfne09f2Wo AAGWb5ncEfkpW14Z33RExpZBi44YGyZFqT8Nr43F9MVblciQAem32Fq+ywod4OZTYC flOJhpiln8fQNDDdUiq905fXy63UXE4KO/rIm6pxz5o4pZJf2ikSPxlCbA2Iz+AYZJ 9IDMvlSIAs29xv8PIzsR8k76OjhjyO+A8SMOB9h0EYbYgB0QF+QIrLD2Rgx7N3bdSo TaIPWcbGylbzg== X-Fuglu-Suspect: 8ba90e79afbf4907b76f9dbb6ed197d0 X-Fuglu-Spamstatus: NO Received: from webmail.selfhosted.xyz (office.selfhosted.xyz [192.168.1.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mail@selfhosted.xyz) by server0.selfhosted.xyz (Postfix) with ESMTPSA; Thu, 12 Aug 2021 10:59:07 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Thu, 12 Aug 2021 10:59:06 +0200 From: david larsson In-Reply-To: <878s17hywu.fsf@gnu.org> References: <87pmukkqvx.fsf_-_@gnu.org> <86tukns2mc.fsf@mgsn.dev> <20210720052229.15438-1-jbranso@dismail.de> <2a373bf54c17a11a37ab8f2ca86ef07f@dismail.de> <56b97910c9bac2b0eafb40e0b70aadea@dismail.de> <878s17hywu.fsf@gnu.org> Message-ID: <6d41fe0ff317cf845f90591250988f5b@selfhosted.xyz> X-Sender: david.larsson@selfhosted.xyz X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1628758815; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=PRwRJVa2FGxaD7eLUSvGzKSmA0z40StiYzvj6/vg3RU=; b=XM3GLkjli4Z1DjBLKk5o11KDHwyBpeSCr/diAtvwt/OZNiy4Cec/KO2cFZ65wHRVxZCP6M xxXYC+sCDWoBRn2vUX/HXso/jxnbGlvnCds7hG9jGViyByFjN3fYodh85hYchulT69MmZM KYKuMLivWW34KUtB7uvOMQTLr9qus8zYbquwPwdYudHITPCTBNl7loeLc0B9kjsI6yWe38 P4BIe8rwwOSS7kdz4i/rgSQja1IgaUErUvEgCVbBfqFnbRhelKog0hwJMYNQZAexkS5ftP 7URBuNYi52/V1i1LBQEjto4IYe/pVDQrpMFXEuuA1/XX6ZrB97L5CmLvFCvd7g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1628758815; a=rsa-sha256; cv=none; b=SvsonNTKtoUFyE9UyAQvwot0uk4cEYsHzbyg+LEcka7E6/q3OcxJ4cyHSGYUKNzVNqlDkh Ax4tAafxm4l0xRfhNU3HLoqnAlV7twr7bGJ9cQq35myJwsVZZ9zRd1qn9x/UzYrmwlVQnf 8JhVImzL9W1oDgyZ4d0XA2NNRMAM3lNN/9mE1sGbfG8kZV9h0cboe5Qw4vtPpAPIu8c3BB KrMjubsVBenZf2TuD7NyCeAAw3s1KxLFlv5GJBQZH3qodWmD8augPTUH5NeOhlziywRrRq VlGliXUX2NGpZDgBUcr5R/i2fc1L/QLt/vA4v8qQILZmkFSywYpXKvJ0i37Clg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=selfhosted.xyz header.s=dkim header.b=Xil7n6mc; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 0.19 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=selfhosted.xyz header.s=dkim header.b=Xil7n6mc; dmarc=fail reason="SPF not aligned (relaxed)" header.from=selfhosted.xyz (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 0507D1079C X-Spam-Score: 0.19 X-Migadu-Scanner: scn0.migadu.com X-TUID: WNjSQjwVtDE/ On 2021-08-12 10:04, Ludovic Courtès wrote: > Hello! > > jbranso@dismail.de skribis: > >> August 11, 2021 10:17 AM, "Ludovic Courtès" wrote: > > [...] > >>> My main question would be: what do you think is not covered in the >>> “Manual Installation” section? >>> >>> That section covers full disk encryption and other things you >>> propose, >>> such as partitioning, downloading the ISO, authenticating it, >>> changing >>> the keyboard layout, etc. >> >> I think that libreboot does not currently support the latest version >> of >> encryption...or only supports LVM v1....something like that. Perhaps >> those >> "libreboot specific encryption commands" need not be in the official >> manual? > > Oh, right. Perhaps there could be a subsubsection next to “Disk > Partitioning” & co. specifically about LibreBoot support? Would that > make sense? > >>> From a maintenance perspective, it does not seem reasonable to >>> maintain >>> to similar pieces of documentation on these matters. From a user >>> perspective, it could be confusing or downright deceiving if one of >>> these two documents is out of date or erroneous. >> >> I'm game for that. I personally find the "Manual Installation" >> section >> slightly too terse...I've successfully installed guix encrypted >> before, >> but I had to use the graphical installation. I have a hard time >> comprehending how to manually install an encrypted guix, but I also >> just >> have a very hard time understanding new guix things too. :) > > If you could pinpoint specific things that are missing or too vague in > that section, that’d be great. > > Of course we don’t want to explain too much in there because that’d be > too much work, so this section assumes familiarity with GNU/Linux; and > overall, we want to encourage users, both newbies and seasoned > GNU/Linux > users, to use the installer, because it’s so much more convenient. > >> Perhaps, if the manual does not have it, we could provide an example >> config of an encrypted /home ? I feel like the majority of guix users >> do not use libreboot, so a encrypted / is not an option for most of >> them. > > Why is it not an option? I use encrypted root without Libreboot and > the > installer offers that option. Hi! Im happy to see this added to the cookbook. Just to clarify: with libreboot you can have the *entire* root partition encrypted without a separate boot partition (with /boot mounted under the encrypted root) - i.e. an actually fully encrypted disk (save the luks headers). So this is why you need to carefully setup the grub.cfg that's in libreboot's ROM (assuming you use Grub as payload) to use something like: cryptomount -a ; configfile (crypto0)/boot/grub/grub.cfg, so that you point to Guix's continuously updated version of grub.cfg inside the encrypted partition. If you want to have /boot on an encrypted partition without using libreboot, you need to pack crypttools or whatever (cryptomount command) to initrd which is generated with guile code. Guix currently don't offering such options to my knowledge. Related note: there has also been discussions in Grub dev mailing lists about adding the option to specify luks headers in grub.cfg which would allow for actual full disk encryption of internal drives (indistinguishable from random wiped disk), and then you could probably accomplish this by mounting /boot in your config.scm from external usb. This would also be a nice thing to add to the cookbook IMO (when that feature is available in Grub).