[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#72889: I thought of a possible way to do this.
|
From: |
amano.kenji |
|
Subject: |
bug#72889: I thought of a possible way to do this. |
|
Date: |
Tue, 10 Sep 2024 13:14:38 +0000 |
- /dev/sda
/dev/sda1: A tiny LUKS partition that's filled with the content of a keyfile
without any filesystem format.
/dev/sda2: /boot for grub. It also serves as FAT32 EFI partition.
- /dev/sdb
/dev/sdb1: /gnu/store on btrfs raid1
/dev/sdb2: / on btrfs raid1 on LUKS
- /dev/sdc
/dev/sdc1: /gnu/store on btrfs raid1
/dev/sdc2: / on btrfs raid1 on LUKS
Open /dev/sda1 as a luke device, /dev/mapper/key, with one password. It
contains a keyfile without any filesystem format. Use /dev/mapper/key as a
keyfile for all other LUKS devices in mapped devices.
This exposes /gnu/store, but /gnu/store is not supposed to have any sensitive
data. This obviously makes it practically impossible to detect physical
tempering of data, but if you store it at a secure location, you don't have to
worry too much about evil maid attack.
RAID1 for physically secure servers is enough to ensure some availability when
a disk fails.
For laptops that you carry, you are not going to use btrfs raid1, and you can
just have unencrypted /boot on fat32 and / on btrfs on luks. extra-initrd
contains a keyfile for / so that I don't have to type the password twice.
A desktop computer doesn't require server-level availability, but people who
have money can still put root on encrypted btrfs raid1.
Perhaps, can this be documented in the cook book?
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#72889: I thought of a possible way to do this.,
amano.kenji <=