Re: I installed GuixSD on my laptop

[Ludovic Courtès]

Hi,

address@hidden skribis:

> Someone might have better suggestions but until then here's my
> thoughts on it:
>
> There's some step-by-step instructions for setting up a grub-password
> and then setting a path to a luks keyfile in grub on a system using
> Libreboot and Parabola here:
> https://wiki.selfhosted.xyz/doku.php?id=it:computer_setup:encrypted_parabola_installation_guide#boot_configuration
>
> This could possibly be adapted to GuixSD. In short the steps involved
> (without setting up grub's password authentication) are:
>
> -generate key and add to your luksdrive
>   dd bs=512 count=4 if=/dev/urandom of=/etc/my_cryptkey iflag=fullblock
>   cryptsetup luksAddKey /dev/sda1 /etc/my_cryptkey
> -Regenerate initramfs (using the mkinitcpio bash-script)
>   zile /etc/mkinitcpio.conf
>   FILES="/etc/my_cryptkey"
>   mkinitcpio -p linux-libre (or linux-libre-lts or linux-libre-grsec or all 
> of them)
> -Then add a configuration line to your grub config's default
> menu-entry on the linux-line:
>   linux /boot .... cryptkey=rootfs:/etc/my_cryptkey
>
> For details on setting up the password etc see the link above.

Adding the cryptsetup passphrase in a file in the initrd is doable (with
the initrd living on the encrypted file system).  Sounds like a good
idea that we could implement in GuixSD (although care must be taken not
to store the passphrase file in the store.)

Thanks,
Ludo’.