[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unencrypted boot with encrypted root
From: |
Ellen Papsch |
Subject: |
Re: Unencrypted boot with encrypted root |
Date: |
Wed, 08 Apr 2020 14:37:39 +0200 |
User-agent: |
Evolution 3.34.1 (by Flathub.org) |
Am Dienstag, den 07.04.2020, 22:19 +0200 schrieb Ludovic Courtès:
> Ellen Papsch <address@hidden> skribis:
>
>
> Sure, but what happens when you reconfigure? You still need to have
> that file around so it can be added to the initrd.
>
Does it really have to be added to initrd? From my other reply:
> These may be dangerous waters. The key file in initrd is like a house
> key under the mattress. A malicious process could look in the well
> defined place and exfiltrate the key. Think state trojan horses. A
> random name would not suffice, because other characteristics may help
> identifying the file (i.e. size).
> I think* Guix would burden itself too much with secrets. It's
> something for the user and the installer should just make it more
> convenient, with a nudge to a more secure setup. The key file should
> be stored in a user specified location, preferably a pen drive (which
> is otherwise not used). It can be removed, so no read can occur by
> arbitrary processes. A passphrase should be added as backup.
>
> (*) as non-guru
reconfigure would not have to touch the file at all, if it were a user
supplied file name. I'm aware other files are often put in the store by
references in operating-system (or inlined). The secrets file on the
other hand should just be assumed to be there. Initrd should try to
mount the drive.
Best regards
- Re: Unencrypted boot with encrypted root, (continued)
Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/03
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/04
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/04
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/06
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root,
Ellen Papsch <=
Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/07
Re: Unencrypted boot with encrypted root, Vagrant Cascadian, 2020/04/07
Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/08
Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/08
Re: Unencrypted boot with encrypted root, Vagrant Cascadian, 2020/04/08
Re: Unencrypted boot with encrypted root, Pierre Neidhardt, 2020/04/08
Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/08