On 2021-07-07, Thomas Albers wrote: > But you are right, there doesn't seem to be > much point in hiding the key-file. If someone has a program capable of > reading the file and getting it out of your computer, then there is > nothing stopping this person from accesing all of your files regardless > of encryption. Depends on if you're on a multi-user system where only some people have root access or a single-user system where the only user has root access. If the key is stored in /gnu/store, it's world-readable, whereas with traditional unix permissions or other access controls you can at least make the initrd and key-file read-only. I envision a workflow where you generate the initrd in the store (world-readable) without the key-file, and then concatenate the initrd and a cpio archive containing the key-file to a root-only-readable file that grub is configured to load as the initrd. (or maybe grub can load two cpio archives and concatenate them together?) This would allow everything except the key-file to be world-readable, while still keeping (within the constraints of unix file permissions and or some other access control) the key-file private. This presumes that you still enter the passphrase manually for grub or some other bootloader to be able to load the "private" initrd+key-file from an encrypted partition. It does solve the problem of entering the passphrase twice. Another option would be to keep the keyfile on removable media, and have the initrd read the keyfile from that... live well, vagrant