[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unencrypted boot with encrypted root
From: |
Vagrant Cascadian |
Subject: |
Re: Unencrypted boot with encrypted root |
Date: |
Tue, 07 Apr 2020 09:47:19 -0700 |
On 2020-04-07, Alex Griffin wrote:
> On Tue, Apr 7, 2020, at 9:46 AM, Ludovic Courtès wrote:
>> The difficulty is that any file traveling through the store is
>> world-readable. It’s hard to avoid.
>
> If we can create the key file outside of the store, then GRUB is capable of
> being passed multiple initrds. So we can put the key in its own initrd
> (outside of the store), continue to generate the normal initrd in /gnu/store,
> and pass both of them to GRUB. The key never enters the store in any way.
>
> The result is that the user only needs to enter a password into GRUB, because
> GRUB then passes the key file to the kernel.
I believe it's also possible for grub to provide the key
derived/decrypted from the passphrase entered at run-time, obviating the
need for a separate key entirely. I don't have details on how to do
this, but I *think* that's what recent Debian installs do... it
certainly would simplify key slot management issues.
live well,
vagrant
signature.asc
Description: PGP signature
- Re: Unencrypted boot with encrypted root, (continued)
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/03
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/04
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/04
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/06
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/08
- Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/07
- Re: Unencrypted boot with encrypted root,
Vagrant Cascadian <=
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/08
- Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/08
- Re: Unencrypted boot with encrypted root, Vagrant Cascadian, 2020/04/08
- Re: Unencrypted boot with encrypted root, Pierre Neidhardt, 2020/04/08
- Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/08