guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook

From: david larsson
Subject: [bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
Date: Thu, 12 Aug 2021 10:59:06 +0200 
On 2021-08-12 10:04, Ludovic Courtès wrote:

Hello!

jbranso@dismail.de skribis:


August 11, 2021 10:17 AM, "Ludovic Courtès" <ludo@gnu.org> wrote:


[...]


My main question would be: what do you think is not covered in the
“Manual Installation” section?
That section covers full disk encryption and other things you propose, such as partitioning, downloading the ISO, authenticating it, changing 
the keyboard layout, etc.
I think that libreboot does not currently support the latest version of encryption...or only supports LVM v1....something like that. Perhaps those "libreboot specific encryption commands" need not be in the official manual? 

Oh, right.  Perhaps there could be a subsubsection next to “Disk
Partitioning” & co. specifically about LibreBoot support?  Would that
make sense?
From a maintenance perspective, it does not seem reasonable to maintain 
to similar pieces of documentation on these matters. From a user
perspective, it could be confusing or downright deceiving if one of
these two documents is out of date or erroneous.
I'm game for that. I personally find the "Manual Installation" section slightly too terse...I've successfully installed guix encrypted before, 
but I had to use the graphical installation.  I have a hard time
comprehending how to manually install an encrypted guix, but I also just 
have a very hard time understanding new guix things too.  :)


If you could pinpoint specific things that are missing or too vague in
that section, that’d be great.

Of course we don’t want to explain too much in there because that’d be
too much work, so this section assumes familiarity with GNU/Linux; and
overall, we want to encourage users, both newbies and seasoned GNU/Linux 
users, to use the installer, because it’s so much more convenient.


Perhaps, if the manual does not have it, we could provide an example
config of an encrypted /home ?  I feel like the majority of guix users
do not use libreboot, so a encrypted / is not an option for most of them.
Why is it not an option? I use encrypted root without Libreboot and the 
installer offers that option.


Hi!

Im happy to see this added to the cookbook.
Just to clarify: with libreboot you can have the *entire* root partition encrypted without a separate boot partition (with /boot mounted under the encrypted root) - i.e. an actually fully encrypted disk (save the luks headers). So this is why you need to carefully setup the grub.cfg that's in libreboot's ROM (assuming you use Grub as payload) to use something like: cryptomount -a ; configfile (crypto0)/boot/grub/grub.cfg, so that you point to Guix's continuously updated version of grub.cfg inside the encrypted partition.
If you want to have /boot on an encrypted partition without using libreboot, you need to pack crypttools or whatever (cryptomount command) to initrd which is generated with guile code. Guix currently don't offering such options to my knowledge.
Related note: there has also been discussions in Grub dev mailing lists about adding the option to specify luks headers in grub.cfg which would allow for actual full disk encryption of internal drives (indistinguishable from random wiped disk), and then you could probably accomplish this by mounting /boot in your config.scm from external usb. This would also be a nice thing to add to the cookbook IMO (when that feature is available in Grub).
reply via email to
[Prev in Thread] Current Thread [Next in Thread]