guix-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesyst


From: Josselin Poiret
Subject: [bug#52882] [PATCH] gnu: system: Add crypt-key field for mapped filesystems
Date: Thu, 30 Dec 2021 11:57:19 +0100

Hello,

chayleaf <chayleaf@pavluk.org> writes:

> From: chayleaf <chayleaf@protonmail.com>
>
> This is a patch that adds a new field for mapped-filesystem that allows
> one to specify the LUKS encryption key via G-Expressions.
> An example use case is using a key stored on an external device.

This is a feature that many people have on their wishlist, and it looks
like your code would do precisely that, however I have to admit that I
am against adding this code into master for security reasons.

The open-luks-device gexp, along with the whole passphrase [1], end up
in the boot script in the store, and the guix store is r-xr-xr-x,
meaning that any program on your computer is able to read it.

This is a pretty significant security risk that can reduce the benefits
of full-disk encryption to nothing, so having it easily available to
users would work against them.  Feel free to use this patch on your
local installation though, if you understand the security risks :)

On other distros, you can simply have keyfiles and initrds root-owned
and r--------, and I think you could do something similar here, but
you'd have to keep them out of the store and load them separately.  This
could be a solution, but I don't know off the top of my head how one
could implement it.

[1] the actual encryption key is stored encrypted inside the LUKS
header, which is unlocked with a passphrase, roughly.

-- 
Josselin Poiret





reply via email to

[Prev in Thread] Current Thread [Next in Thread]