GNU bug report logs -
#52882
[PATCH] gnu: system: Add crypt-key field for mapped filesystems
Previous Next
Full log
Message #8 received at 52882 <at> debbugs.gnu.org (full text, mbox):
Hello,
chayleaf <chayleaf <at> pavluk.org> writes:
> From: chayleaf <chayleaf <at> protonmail.com>
>
> This is a patch that adds a new field for mapped-filesystem that allows
> one to specify the LUKS encryption key via G-Expressions.
> An example use case is using a key stored on an external device.
This is a feature that many people have on their wishlist, and it looks
like your code would do precisely that, however I have to admit that I
am against adding this code into master for security reasons.
The open-luks-device gexp, along with the whole passphrase [1], end up
in the boot script in the store, and the guix store is r-xr-xr-x,
meaning that any program on your computer is able to read it.
This is a pretty significant security risk that can reduce the benefits
of full-disk encryption to nothing, so having it easily available to
users would work against them. Feel free to use this patch on your
local installation though, if you understand the security risks :)
On other distros, you can simply have keyfiles and initrds root-owned
and r--------, and I think you could do something similar here, but
you'd have to keep them out of the store and load them separately. This
could be a solution, but I don't know off the top of my head how one
could implement it.
[1] the actual encryption key is stored encrypted inside the LUKS
header, which is unlocked with a passphrase, roughly.
--
Josselin Poiret
This bug report was last modified 3 years and 159 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.