Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/luksroot: Add option to save passphrases. #64374

Open
wants to merge 1 commit into
base: master
from

Conversation

@ambrop72
Copy link
Contributor

commented Jul 6, 2019

Motivation for this change

I needed that another LUKS device gets unlocked automatically using the same passphrase that was used to unlock the LUKS device containing the root file system. This adds an option to the initrd which if enabled will save passphrases to /run/initrd-saved-passphrases so that they can be used after the initrd to unlock other devices.

Maybe using /run/keys (which is already a thing and gets mounted automatically, but not in the initrd) would be more appropriate? Not sure where would be the right place to put the code for doing that, and if it could somehow conflict with the fstab entry.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@rnhmjoj

This comment has been minimized.

Copy link
Contributor

commented Jul 7, 2019

I thought #29441 did this already, or am I misunderstanding what this patch does?

@ambrop72

This comment has been minimized.

Copy link
Contributor Author

commented Jul 7, 2019

That one temporarily saves the passphrase and automatically tries to reuse it for the next LUKS device opened from the initrd. That allows opening multiple LUKS devices in the initrd while typing only one passphrase.

What I need is to open just one device in the initrd (where the root filesystem is), and open another device automatically during the systemd boot. That other device does not need to be opened in the initrd; configuring it to be opened in the initrd would prevent me from booting if the device does not work, would also increase the boot time a little (since it is not done in parallel).

This patch makes it possible for the initrd to save the passphrase so that it can be used later (after the initrd is done) to open another device. To do that I added a systemd service like this:

systemd.services.cryptsetup-crypt-disk = let
  name = "crypt-disk";
  device = "/dev/disk/by-uuid/xxx";
  keyFile = "/run/initrd-saved-passphrases/luks-crypt-ssd";
in {
  description = "Open LUKS volume ${name}";
  requires = [ "${utils.escapeSystemdPath device}.device" ];
  after = [ "${utils.escapeSystemdPath device}.device" ];
  # I use ZFS so this is a dependency of the service that imports the pool.
  # Otherwise it would be a dependency of mount units directly.
  before = [ "zfs-import-zfs-disk.service" ];
  requiredBy = [ "zfs-import-zfs-disk.service" ];
  unitConfig.DefaultDependencies = "no";
  serviceConfig = {
    Type = "oneshot";
    RemainAfterExit = true;
    ExecStart = "${pkgs.cryptsetup}/bin/cryptsetup luksOpen ${device} ${name} --key-file ${keyFile}";
  };
};
@cleverca22

This comment has been minimized.

Copy link
Contributor

commented Jul 8, 2019

another option would be to have a regular keyfile on the encrypted rootfs, and then always use that to open the 2nd luks device

@ambrop72

This comment has been minimized.

Copy link
Contributor Author

commented Jul 8, 2019

another option would be to have a regular keyfile on the encrypted rootfs, and then always use that to open the 2nd luks device

This is true but I'm not fond of keeping encryption keys on the disk and it's also manual work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.