GNU bug report logs - #32054
[wishlist] Support LUKS key-files in initramfs

Previous Next

Package: guix;

Reported by: Taylan Kammer <taylanbayirli <at> gmail.com>

Date: Wed, 4 Jul 2018 17:46:01 UTC

Owned by: Jakub Kądziołka <kuba <at> kadziolka.net>

Severity: wishlist

Merged with 38924

To reply to this bug, email your comments to 32054 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#32054; Package guix. (Wed, 04 Jul 2018 17:46:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Taylan Kammer <taylanbayirli <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 04 Jul 2018 17:46:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Taylan Kammer <taylanbayirli <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: [wishlist] Support LUKS key-files in initramfs
Date: Wed, 04 Jul 2018 21:45:19 +0200

It would be neat if guix supported creating an initramfs that contains
LUKS key-files and decrypts partitions with those.

Consider the following simple drive and partition setup:

    /dev/sda: Has GRUB installed
    /dev/sda1: Contains LUKS partition, meant to be mounted on / (root)
    /dev/sda2: Contains LUKS partition, meant to be mounted on /home

Without key-files, the boot process goes like this:

1. GRUB asks for the key for /dev/sda1 (key prompt 1)
2. The GRUB menu appears and lets you select the system to boot
3. The initramfs is loaded and starts doing its job
4. The initramfs asks for the key for /dev/sda1 (key prompt 2)
5. The initramfs(?) asks for the key for /dev/sda2 (key prompt 3)
6. The system continues and finishes booting

(I'm not sure if in step #5 it's still the initramfs that asks for the
key for sda2, or whether the initramfs is done after mounting sda1 and
switching root to it.)

This means the user has to enter a password three times, and two of the
times it's the same password.

If the initramfs contained key-files for the two partitions and were
able to use them instead of prompting the user, then the user would only
need to enter a key for GRUB, and further decryptions would happen
automatically.  (The initramfs itself resides on sda1, so the key-files
are safe.)


Taylan
Merged 32054 38924. Request was from Tobias Geerinckx-Rice <me <at> tobias.gr> to control <at> debbugs.gnu.org. (Sat, 04 Jan 2020 20:02:01 GMT) Full text and rfc822 format available.
Owner recorded as Jakub Kądziołka <kuba <at> kadziolka.net>. Request was from Jakub Kądziołka <kuba <at> kadziolka.net> to control <at> debbugs.gnu.org. (Tue, 14 Jan 2020 00:03:02 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 195 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.