[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detached LUKS header

From: Chris Marusich
Subject: Re: Detached LUKS header
Date: Mon, 11 Nov 2019 20:44:44 -0800
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

address@hidden writes:

> Anyway, is there a straightforward way to configure a mapping device for LUKS
> with a detached header? Otherwise, what's the best way to go about passing
> command line options to the initrd cryptsetup call?
> For a little context, I like my drive to look just like random data to a third
> party; however, the precence of a LUKS header pretty much defeats plausible
> deniability of hosting encrypted data. Thus, detached headers.
> To that end, with my current non-guix setup, I have /boot and grub sitting on
> an external drive, with dracut shoving the LUKS header in the initrd. Then
> crypttab references said header, so the initrd cryptsetup call Just Works TM.

I'm not sure.  On your non-Guix setup, the crypttab exists in the
initrd, right?  And that initrd exists in the /boot directory on the
external drive, right?

Have you looked into how you can customize the initrd in Guix?  It's
described in the "Initial RAM Disk" section of the manual:

If I understand your non-Guix configuration right, it sounds like you
put the initrd on the external drive.  Guix normally installs the initrd
into the store, and then adds to the Grub configuration file a reference
to the initrd in the store, like this:

menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" {
  search --label --set root
  linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage 
--root=root --system=/var/guix/profiles/system-1-link 
--load=/var/guix/profiles/system-1-link/boot quiet
  initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz

So, it might be a little tricky to convince Guix to do the right thing
for your use case.  Also, I think Grub has the ability to read LUKS
volumes, but I'm not sure how to configure it.

If you figure out a configuration that works, please do share it!
Hopefully something in my email is helpful to you.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]