GNU bug report logs - #72889
Support for root filesystem on btrfs raid1 on two LUKS devices

Previous Next

Full log

View this message in rfc822 format

From: "amano.kenji" <amano.kenji <at> proton.me>
To: "72889 <at> debbugs.gnu.org" <72889 <at> debbugs.gnu.org>
Subject: bug#72889: I thought of a possible way to do this.
Date: Tue, 10 Sep 2024 13:14:38 +0000

- /dev/sda

/dev/sda1: A tiny LUKS partition that's filled with the content of a keyfile without any filesystem format.
/dev/sda2: /boot for grub. It also serves as FAT32 EFI partition.

- /dev/sdb

/dev/sdb1: /gnu/store on btrfs raid1
/dev/sdb2: / on btrfs raid1 on LUKS

- /dev/sdc

/dev/sdc1: /gnu/store on btrfs raid1
/dev/sdc2: / on btrfs raid1 on LUKS

Open /dev/sda1 as a luke device, /dev/mapper/key, with one password. It contains a keyfile without any filesystem format. Use /dev/mapper/key as a keyfile for all other LUKS devices in mapped devices.

This exposes /gnu/store, but /gnu/store is not supposed to have any sensitive data. This obviously makes it practically impossible to detect physical tempering of data, but if you store it at a secure location, you don't have to worry too much about evil maid attack.

RAID1 for physically secure servers is enough to ensure some availability when a disk fails.

For laptops that you carry, you are not going to use btrfs raid1, and you can just have unencrypted /boot on fat32 and / on btrfs on luks. extra-initrd contains a keyfile for / so that I don't have to type the password twice.

A desktop computer doesn't require server-level availability, but people who have money can still put root on encrypted btrfs raid1.

Perhaps, can this be documented in the cook book?

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.