GNU bug report logs - #65002
[PATCH 0/2] Add support for unlocking root device via a key file

Previous Next

Full log

Message #31 received at 65002 <at> debbugs.gnu.org (full text, mbox):

From: Tomas Volf <~@wolfsden.cz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 65002 <at> debbugs.gnu.org
Subject: Re: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a
 key file
Date: Thu, 11 Jan 2024 13:39:35 +0100

[Message part 1 (text/plain, inline)]

On 2024-01-10 00:21:19 +0100, Ludovic Courtès wrote:
> Hello!
> 
> I know, I know, it’s taken way too long… My apologies!

No worries, thank you for getting to it. :)
> 
> > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> > procedure
> 
> No need to repeat the file name here.  Please also mention the
> doc/guix.texi changes.

Adjusted.  I also fixed the name of the first procedure (should have been
open-luks-device).

> 
> > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> > +Return a @code{luks-device-mapping} object, which defines LUKS block
> > +device encryption using the @command{cryptsetup} command from the
> > +package with the same name.  It relies on the @code{dm-crypt} Linux
> > +kernel module.
> > +
> > +If @code{key-file} is provided, unlocking is first attempted using that
> > +key file.  If it fails, password unlock is attempted as well.  Key file
> > +is not stored in the store and needs to be available at the specified
> > +path at the time of the unlock attempt.
> 
> s/specified path/given location/
> 
> Perhaps add a sentence or two saying that the advantage is that it
> allows you to avoid typing the passphrase, for instance by passing the
> key file on a USB key (would that work?), but that this may not be
> suitable for all use cases.

Added a sentence. As for the USB key, that would not currently work.  The file
needs to be accessible to the init script, so the USB would need to be mounted
first.  I believe extending the code to support it would not be hard (adding
e.g. #:device to luks-device-mapping-with-options), but I have not use for it,
so I did not intend to do it in this series.  Maybe later.

> 
> I’d also add a short commented config example.

Done.

> 
> I wonder if we could have a system test; it doesn’t sound very easy so
> maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> which exercises ‘luks-device-mapping’, still passes (it takes time and
> disk space).

It does not pass, but it fails even on master ¯\_ (ツ)_/¯:

    guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt

It seems somewhat hard to do it based on encrypted-root-os, but should be much
easier basing it on encrypted-home-os.  I might give it a try.

> 
> The rest LGTM!
> 
> Ludo’.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.