GNU bug report logs - #32054
[wishlist] Support LUKS key-files in initramfs

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Severity: wishlist; Reported by: Taylan Kammer <taylanbayirli@HIDDEN>; Owned by: Jakub Kądziołka <kuba@HIDDEN>; merged with #38924; dated Wed, 4 Jul 2018 17:46:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Owner recorded as Jakub Kądziołka <kuba@HIDDEN>. Request was from Jakub Kądziołka <kuba@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Merged 32054 38924. Request was from Tobias Geerinckx-Rice <me@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 4 Jul 2018 17:45:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jul 04 13:45:32 2018
Received: from localhost ([127.0.0.1]:46936 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1falqO-0005Sc-9a
	for submit <at> debbugs.gnu.org; Wed, 04 Jul 2018 13:45:32 -0400
Received: from eggs.gnu.org ([208.118.235.92]:40887)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <taylanbayirli@HIDDEN>) id 1falqN-0005SR-Al
 for submit <at> debbugs.gnu.org; Wed, 04 Jul 2018 13:45:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <taylanbayirli@HIDDEN>) id 1falqH-0003QK-CB
 for submit <at> debbugs.gnu.org; Wed, 04 Jul 2018 13:45:26 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:54607)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <taylanbayirli@HIDDEN>)
 id 1falqH-0003Q4-8M
 for submit <at> debbugs.gnu.org; Wed, 04 Jul 2018 13:45:25 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60091)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <taylanbayirli@HIDDEN>) id 1falqG-0008Pf-3N
 for bug-guix@HIDDEN; Wed, 04 Jul 2018 13:45:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <taylanbayirli@HIDDEN>) id 1falqF-0003P5-B7
 for bug-guix@HIDDEN; Wed, 04 Jul 2018 13:45:24 -0400
Received: from mail-wm0-x234.google.com ([2a00:1450:400c:c09::234]:55963)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <taylanbayirli@HIDDEN>)
 id 1falqF-0003Of-3J
 for bug-guix@HIDDEN; Wed, 04 Jul 2018 13:45:23 -0400
Received: by mail-wm0-x234.google.com with SMTP id v16-v6so7207808wmv.5
 for <bug-guix@HIDDEN>; Wed, 04 Jul 2018 10:45:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=GlxGEewDqfthVkwPkx797zfJocU2W30eW2KtZAin6bo=;
 b=MToKGYzpVzvyED+A/NrVtaS0kAhb6DmT6vwLing3GB6b8Ml+KMQeo22axmmKaF/Fmf
 Ja0W6RSuHmPqJmDlJvjpZqgRokDf2/N1C6U6QjaFZkdDBms3IpAFxsHA74zlFihM+Gzh
 bpSWYTTKF6xli+eIDzfJ29ZLdKwLi+bMEdwrkXXhyWX6rMN1vZv/9QNq/iE02jH8Bg09
 1/fn5pAJR3jvfSArkkAYlkGbMxGGAwo30X5zXAyo8prC7Lp8tXttquYqpNVVc15FB/vy
 s0jWXDwCBzPbHvJaUUruTUMSmbwsZYnAvV6iAOjhSL5pkCcKPEsRAdzsH/SELijiZYiH
 O96g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=GlxGEewDqfthVkwPkx797zfJocU2W30eW2KtZAin6bo=;
 b=qZX2zq5EJ9rc7itOailrG0jukwxpaKsekQWG1SkLEfdHvooMrRrc1d6k6PUIeAcbuY
 hX2uxX339EaCh+g5CpaD4m3axR8hDCoDmnxgZeYUL5M7WUWjKx8iwho7zcWh20NNwpFL
 2Cq5gMpBZ6KN0CIOVlq1pHOBr24PbB+2l3ds1WA0nsev8X85hSPe4/qR7hl8QxZVDVnN
 E5ExAXIBW7NFT7SbfCz6VVs4d59tOsn/onSUvZ13Fk0E8XTGnDnFdG6Pz/RxsWG+tckf
 PcQahBwC6QIXLf3YMor7tY82JUy53ZOeN+4EJagesne9eqmWdGKpqk3Y5aA+EGEpUEGs
 Vwrw==
X-Gm-Message-State: APt69E27Bf7jhtFEtCKnZpdZ4Mk/X5QJSQI9IEq22AfOWGgpJlmeCUfG
 mnnieRShHVrryJYTRZpXRN1Vzw==
X-Google-Smtp-Source: AAOMgpcg/O/P9h3pu30b5b1+/gTq5Mz9oRgQaUuA3BHXCb4ejPH/ylIobt6qMOnncyTRDAmjNe/blg==
X-Received: by 2002:a1c:7908:: with SMTP id l8-v6mr2107294wme.80.1530726321527; 
 Wed, 04 Jul 2018 10:45:21 -0700 (PDT)
Received: from guixsd ([2a02:908:c35:b420:7fc7:951d:d3f1:148f])
 by smtp.gmail.com with ESMTPSA id l6-v6sm2981693wmh.41.2018.07.04.10.45.20
 for <bug-guix@HIDDEN>
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 04 Jul 2018 10:45:20 -0700 (PDT)
From: Taylan Kammer <taylanbayirli@HIDDEN>
To: bug-guix@HIDDEN
Subject: [wishlist] Support LUKS key-files in initramfs
Date: Wed, 04 Jul 2018 21:45:19 +0200
Message-ID: <87wouayecw.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

It would be neat if guix supported creating an initramfs that contains
LUKS key-files and decrypts partitions with those.

Consider the following simple drive and partition setup:

    /dev/sda: Has GRUB installed
    /dev/sda1: Contains LUKS partition, meant to be mounted on / (root)
    /dev/sda2: Contains LUKS partition, meant to be mounted on /home

Without key-files, the boot process goes like this:

1. GRUB asks for the key for /dev/sda1 (key prompt 1)
2. The GRUB menu appears and lets you select the system to boot
3. The initramfs is loaded and starts doing its job
4. The initramfs asks for the key for /dev/sda1 (key prompt 2)
5. The initramfs(?) asks for the key for /dev/sda2 (key prompt 3)
6. The system continues and finishes booting

(I'm not sure if in step #5 it's still the initramfs that asks for the
key for sda2, or whether the initramfs is done after mounting sda1 and
switching root to it.)

This means the user has to enter a password three times, and two of the
times it's the same password.

If the initramfs contained key-files for the two partitions and were
able to use them instead of prompting the user, then the user would only
need to enter a key for GRUB, and further decryptions would happen
automatically.  (The initramfs itself resides on sda1, so the key-files
are safe.)


Taylan
Acknowledgement sent to Taylan Kammer <taylanbayirli@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#32054; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 14 Jan 2020 00:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.