Re: Unencrypted boot with encrypted root

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unencrypted boot with encrypted root

From:	Vagrant Cascadian
Subject:	Re: Unencrypted boot with encrypted root
Date:	Tue, 07 Apr 2020 09:47:19 -0700

On 2020-04-07, Alex Griffin wrote:
> On Tue, Apr 7, 2020, at 9:46 AM, Ludovic Courtès wrote:
>> The difficulty is that any file traveling through the store is
>> world-readable.  It’s hard to avoid.
>
> If we can create the key file outside of the store, then GRUB is capable of 
> being passed multiple initrds. So we can put the key in its own initrd 
> (outside of the store), continue to generate the normal initrd in /gnu/store, 
> and pass both of them to GRUB. The key never enters the store in any way.
>
> The result is that the user only needs to enter a password into GRUB, because 
> GRUB then passes the key file to the kernel.

I believe it's also possible for grub to provide the key
derived/decrypted from the passphrase entered at run-time, obviating the
need for a separate key entirely. I don't have details on how to do
this, but I *think* that's what recent Debian installs do... it
certainly would simplify key slot management issues.

live well,
  vagrant

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Unencrypted boot with encrypted root, (continued)

Prev by Date: Re: Proxy settings wrt guix daemon
Next by Date: Re: Proxy settings wrt guix daemon
Previous by thread: Re: Unencrypted boot with encrypted root
Next by thread: Re: Unencrypted boot with encrypted root
Index(es):
- Date
- Thread