[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GuixSD encrypted root?
From: |
Danny Milosavljevic |
Subject: |
GuixSD encrypted root? |
Date: |
Mon, 18 Apr 2016 23:05:58 +0200 |
Hi,
with the latest luks-related commits in guix I figured it's time to try disk
encryption again (after updating guix from git).
I added a mapped-devices section to my config and then did guix reconfigure ...
which made it hang at
making '/gnu/store/5df8pzbsbk2pn2s99hj8r6kb45smy3dv-system' the current
system...
The problem is reproducible every time. If I use cryptsetup manually it works
(I created a btrfs filesystem on it and mounted it - worked fine).
I tried to patch gnu/system/mapped-devices.scm to pass additional arguments but
that didn't do anything either (I can see guix's cryptsetup running when I do
"ps -ef", and it didn't receive the new arguments).
And I have a conceptual question: there are many different ways for cryptsetup
to get the key and/or passphrase. How do I configure this? What does it do when
I said nothing of the key location or type or passphrase input method?
Also, I think the best way to have encrypted home is to have the login manager
/ pam module unlock your personal encrypted home since these have your password
in transit and it doesn't need to be stored anywhere on disk - also it will
only be asked once the user actually tries to log in. (Ubuntu also does it like
that and it seems to work fine for them)
The global mapped-devices config is useful for whole-disk encryption - where
the boot process then has to ask for the passphrase on the console early every
time you boot or communicate with some security dongle or the BIOS or whatever
- from the initrd.
I know that Jookia et al did a lot of work on this already - but what's the
status of full disk encryption (on libreboot)?
- GuixSD encrypted root?,
Danny Milosavljevic <=