From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id COntOVkQ+GB0lQAAgWs5BA (envelope-from ) for ; Wed, 21 Jul 2021 14:17:29 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id oFeqNVkQ+GBPYAAAB5/wlQ (envelope-from ) for ; Wed, 21 Jul 2021 12:17:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C28521DBE3 for ; Wed, 21 Jul 2021 14:17:28 +0200 (CEST) Received: from localhost ([::1]:41872 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m6BAF-0007K2-NL for larch@yhetil.org; Wed, 21 Jul 2021 08:17:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45102) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m6B9s-0007IS-Me for guix-patches@gnu.org; Wed, 21 Jul 2021 08:17:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53054) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m6B9q-0002wj-8H for guix-patches@gnu.org; Wed, 21 Jul 2021 08:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m6B9q-0004JX-5B for guix-patches@gnu.org; Wed, 21 Jul 2021 08:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook Resent-From: Giovanni Biscuolo Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 21 Jul 2021 12:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Joshua Branson Cc: 49654@debbugs.gnu.org, rg@raghavgururajan.name Received: via spool by 49654-submit@debbugs.gnu.org id=B49654.162686978614741 (code B ref 49654); Wed, 21 Jul 2021 12:17:02 +0000 Received: (at 49654) by debbugs.gnu.org; 21 Jul 2021 12:16:26 +0000 Received: from localhost ([127.0.0.1]:36366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6B9F-0003pE-V3 for submit@debbugs.gnu.org; Wed, 21 Jul 2021 08:16:26 -0400 Received: from ns13.heimat.it ([46.4.214.66]:54290) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m6B9D-0003hW-2L for 49654@debbugs.gnu.org; Wed, 21 Jul 2021 08:16:25 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id A70F73021BA; Wed, 21 Jul 2021 12:16:16 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dx0pJBLKkCYi; Wed, 21 Jul 2021 12:16:14 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 89AAD3021B9; Wed, 21 Jul 2021 12:16:14 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id F0F5C1106341; Wed, 21 Jul 2021 14:16:13 +0200 (CEST) Received: (nullmailer pid 3369 invoked by uid 1000); Wed, 21 Jul 2021 12:16:13 -0000 From: Giovanni Biscuolo In-Reply-To: <87eebsvokg.fsf@dismail.de> Organization: Xelera.eu References: <20210720052229.15438-1-jbranso@dismail.de> <87pmvdi7xa.fsf@xelera.eu> <87eebsvokg.fsf@dismail.de> Date: Wed, 21 Jul 2021 14:16:13 +0200 Message-ID: <87k0ljj20i.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1626869849; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=nuYyxCeklRZ59HDzYr9tisZdY7nXfbaTFL4dXEqCvQk=; b=KU1LQJLlsqtxkc8jdlbGkWowmeTWHs6I1i+oxJqWSaqUQ2V1e0aQdXe+qr8aak19ub1g3o xrWruq2+FXrGHFOyym9Q32Z5R8/95NcyZHD4ntJFrBZxDFi6rZAp7ZUYdSqC2ed+Hi+eLu a4d4PulYS1IjgrFvmIm4QVMutiqnk6MYuyXDMBvOpkVY3DpRsAKRwLprv1fEglZ+u7bE+6 urdJ0EZ4NFFurQuSk4eXC1/FAW/+xxMD1s6pyDYOhE24XowKGVN9wWYxNHxuk9Ev+Izakr 8yl+we1fn1xDOg3GLEAC0pXnsIfU8ramKDnB3bTPs+bUI9T8r14cf59NwiK24Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1626869849; a=rsa-sha256; cv=none; b=XAkXxVPYQuGRni7WcRGRdQl63EfTBZaNNwX9670s1uubSedq2trgdUwBd4QYKKN2lEjJ59 n6VIT9Cnh4SjxmCg7bAd4zQsNXA/DMa46YsFUypyxahrXrE4PNZYtpl0FGLWk0g4/DShIp ZO4XaVcoj46qLJjX81L0KQYeQbxA9Mx10oMkWb36OOTe0/ls7x1wbunB8UTRu/DiVTUD/Y LCAqq1p6R8cba94SoADkdbsH9ttb0PkH5OGYOp0ccNtF3PZxblEANRr74ensWkAr0hykFw F/i2X/P601VybNJWNE5qtPNM6stZ26p6VFxfPUNs8B/pidYmDSzG+mTlOch4yw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -0.52 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: C28521DBE3 X-Spam-Score: -0.52 X-Migadu-Scanner: scn1.migadu.com X-TUID: IgwgaQBg6LtU --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Joshua Joshua Branson writes: [...] >> Why using two BTRFS volumes on top of LVM and not directly using BTRFS >> (with subvolumes if you want) on top of /dev/mapper/partname? > > This is probably a good idea...however does the grub payload support > this? Do you mean: does grub support booting from encrypted BTRFS? The answer is yes. WARNING: I've (still) not tried myself to boot Guix System using an encrypted BTRFS (sub)volume but I'm pretty confident that Guix is configuring grub with the needed modules (luks and btrfs) [...] >> I'm still using LVM on some "legacy" systems but for new installations >> I'd strogly suggest starting using BTRFS on top of "physical" >> partitions. > > does btrfs volume manage allow use to use ext4, jfs, or xfs > filesystems? No: BTRFS is a volume manager and a filesystem "all in one", you cannot create a BRTFS subvolume and format it with another filesystem > Or does on LVM do that? LVM is "just" a volume manager with no idea about the overlaying filesystem [...] >> I know that since Linux 2.6 swapfile performance is not a big issue if >> the file is unfragmented (and it'll be for sure on newly partitioned >> filesystems) but AFAIU swap files are still a little bit problematic on >> BTRFS >> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_file= s.3F: > > Ok...maybe we could use ext4 for the swap file? Is there a better > filesystem? Again does btrfs volume management allow the swap file to > be ext4? No, al explained above > Or do we have to use LVM? If we use a dedicated partition for swap there is no need to set up an LVM volume (phisical, VG and then logical): we can just create a dedicate partition during partitioning, encrypt it with LUKS and "mkswap" it (e.g. mkswap /dev/mapper/) [...] >> Final note: AFAIU BTRFS supports swap files ONLY in single device >> settings (that is: NO swap file support on multi device settings), so >> IMHO it's better to use a dedicated partition for the swap space so >> users are free to switch to a multi-device setting if they wish (and >> can). > > Ok, I will create a dedicated partition and format it with ext4 > and the swap program There's no need to format (mkfs.ext4) the partition with ext4, just "mkswap" it :-) > ...but I will probably need help figuring out how to encrypt > the swap partition...There are guides online that I can look at... You have to encrypt it like any other partition, e.g.: =2D-8<---------------cut here---------------start------------->8--- Encrypt swap the partition. Follow the prompts. @example cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \ =2D-verify-passphrase --use-random --key-size 512 --iter-time 500 \ luksFormat /dev/ @end example Obtain and note down the UUID of the LUKS partition. @example cryptsetup --verbose luksUUID /dev/ @end example Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID, and @code{crypt_swap01} is any desired name for the decrypted swap partition. @example cryptsetup --verbose luksOpen UUID=3Dluks-uuid crypt_swap01 @end example Format the encrypted swap @example mkswap /dev/mapper/crypt_swap01 @end example =2D-8<---------------cut here---------------end--------------->8--- Then, in our (operating-system) declaration, we have to use something like this: =2D-8<---------------cut here---------------start------------->8--- (mapped-devices (list (mapped-device (source (uuid "LUKS-UUID")) (target "partname") (type luks-device-mapping)) ;; This is our new encrypted swap partition (mapped-device (source (uuid "SWAP-LUKS-UUID")) (target "crypt_swap01") (type luks-device-mapping)) (mapped-device (source "vgname") (targets (list "vgname-lvnameroot" "vgname-lvnamehome")) (type lvm-device-mapping)))) (swap-devices (list "/dev/mapper/crypt_swap01")) =2D-8<---------------cut here---------------end--------------->8--- WARNING: please consider I've not tested this code. >> The problem with a fully encrypted dedicated swap partition is that >> it'll require a third passphrase prompt on boot (the one to unlock the >> swap partition), but that's a minor annoyance IMHO. > > Oh no! I hadn't thought about that! grrr! Actually what I said it's NOT true... or better: we could avoid the (third) password prompt for the swap partition if we _add_ a keyfile to the LUKS encrypted swap partition _and_ we have a mechanism to "luksOpen" that mapped volume using that keyfile. I'm not aware of such a mechanism on Guix Systems, in Debian (et al) this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the option to specify a keyfile. So, as far as this cookbook section is concerned, unfortunately when using a dedicated encrypted swap partition an additional passphrase prompt will be presented to the user at each boot. > I wonder if bcachefs is better than btrfs...well I guess it's not > merged yet. No, still not. AFAIU also still not available in Guix. > What about instead of using a swap file we use zram? Never used zram and I don't know if it's supported (I mean configured by (operating-system)) on Guix System [...] Sorry I've more issues than answers on this topics, nevertheless I hope it somway helps. Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmD4EA0MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSzPUP+wVK9T3xSz/RtCMQ3FT6v3ARMaBPZON/q+nib2KY t+sD9xptJcP9ohGGJLwqRpRnrmdOpIUc7Kqr0EBoAAwFz8YLyN7+rKXiN2wByFiT Yc05VA0iiFU+yeNN2GUw57PVSk/4evEKAlEe5gKbjfncV6Q59xR1JzXNlvhuRMET XsM+LEhPlYqrqPO/2meG2fl822qNIypDP8ADWQE6ev3XoRiyctHWopUWeB9itlng jc/MBjwFoJ4dtjEIx/Nqv6oQ+mfqcBFNCmjl+B8VUuoqsKVvxYBr3sqVp8haqhS5 NSWqRIwaoL/StfdUZerLSbfLOx+pRhzYVD3UjHeQ2bPibUv8n+GnhwIlQpneB+VN kbILcgqBt0UgXCbQhcz5lsMPaY1dKZjoR5oXgDXnXkONEF4ac2dpQ3GFaMbYsEsy AAdZGpwaWQGWRpD5u2wirxz/f8bEqrK+uXOAmlvs8tRgBCb4ilMyowApvnWmnNIa GVVZi16FLUKix0AYS3uAlucOgyJQWDqBtKZkdSTBlpt7DNN+ANAv84wM0lxPu7Nz Ov2VDUb2ra/J/vlDVyK+bNzp2o8R4Ai60LROynzbSUHvEfgvgIIPUrZwJjyVAy3g ZHlg9D7+z1BuXlaz8LY62pWShkydi4o0MaMAG/nM8a0XOPjH/Zz9++7/X+APLc8w cIio =1UvG -----END PGP SIGNATURE----- --=-=-=--