mbox series

[bug#65002,0/2] Add support for unlocking root device via a key file

Message ID cover.1690922760.git.wolf@wolfsden.cz
Headers show
Series Add support for unlocking root device via a key file | expand

Message

Tomas Volf Aug. 1, 2023, 8:53 p.m. UTC 
When having an encrypted /boot, it is currently necessary to input a password
twice, once for the /boot (so that grub can find its configuration) and later
once more in order to actually unlock the / itself.  It is not very user
friendly and gets annoying quickly in more exotic setups.  For example with /
on RAID1 BTRFS, password needs to be entered 4 times.  And even without that,
for large encrypted arrays, password needs to be entered once per drive.

The obvious solution to this is to just use --key-file option of the luksOpen
command, however support for that was not implemented.  This series adds that
support.

Another problem is where to store the key file, since it needs to be both
present in the initrd, but it cannot be in the store (since that would make it
world-readable, and you do not want that for an encryption key).  Luckily for
us, grub can load multiple initrds and merge them, so option to specify
additional initrd (not from the store) is added as well.

Since extlinux does not look like supporting encrypted /boot (and this new
option should not be used for anything else), it was added only into into
grub.

Tomas Volf (2):
  mapped-devices: Allow unlocking by a key file
  gnu: bootloader: grub: Add support for loading an additional initrd

 doc/guix.texi                 | 32 +++++++++++++++++
 gnu/bootloader.scm            |  6 +++-
 gnu/bootloader/grub.scm       |  6 ++--
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 4 files changed, 83 insertions(+), 28 deletions(-)


base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7

Comments

Dominik Riva Aug. 10, 2023, 12:22 a.m. UTC | #1 
Hi,

I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.


  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  ;; /root in /root/key-file.cpio refers to the 

  ;; /dev/mapper/enc btrfs root subvolume and not the home of root.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader-luks2)
                (targets '("/boot/efi"))
                (keyboard-layout keyboard-layout)
                (extra-initrd "/root/key-file.cpio")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
          (target "enc")
          (type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))


The snipped from https://issues.guix.gnu.org/55723#0 also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.

But now I have a booting system and the passphrase only gets asked for once.


Thanks,
Dominik


[1] full config.scm: https://paste.debian.net/1288436/