guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unencrypted boot with encrypted root

From: Ellen Papsch
Subject: Re: Unencrypted boot with encrypted root
Date: Tue, 07 Apr 2020 13:34:24 +0200
User-agent: Evolution 3.34.1 (by Flathub.org) 
Hi,

Am Dienstag, den 07.04.2020, 11:46 +0200 schrieb Ludovic Courtès:
> Hi,
> 
> Ellen Papsch <address@hidden> skribis:
> 
> > Am Samstag, den 04.04.2020, 12:18 +0200 schrieb pelzflorian
> > (Florian
> > Pelz):
> > > Could key files help in passing the passphrase on to the
> > > Linux kernel?  The Arch Wiki says this: [...]
> > > 
> > 
> > If the installer would support an external medium for the file,
> > that would be best (IMHO).
> 
> The difficulty is that any file traveling through the store is
> world-readable.  It’s hard to avoid.
> 

Does it have to go through the store? I imagine key generation would be
done by the installer, not guix system init. That would be much in the
same way that the installer creates partitions, while system init (or
reconfigure) doesn't touch partitions, only uses existing references.
In that sense, the installer would create the file from /dev/random or
urandom and place the reference in operating-system.

It would also allow manual installations to retain flexibility
configuring encryption.

Best regards
reply via email to
[Prev in Thread] Current Thread [Next in Thread]