Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dracut: set --keyname for systemd-ask-password #15913

Open
SebastianS90 opened this issue Feb 19, 2024 · 0 comments
Open

dracut: set --keyname for systemd-ask-password #15913

SebastianS90 opened this issue Feb 19, 2024 · 0 comments
Labels
Type: Feature Feature request or new feature

Comments

@SebastianS90
Copy link

Describe the feature you would like to see added to OpenZFS

Please set a --keyname for systemd-ask-password. The name should probably contain "zfs" and maybe the encryption root in some suitable format (not sure which characters are allowed and whether slashes must be rewritten to something else).

How will this feature improve OpenZFS?

With the relatively new pam_systemd_loadkey, the same passphrase can be used for zfs encryption and the desktop session keyring (Gnome Keyring/KWallet) and must be provided only once on boot.

Additional context

My laptop is used only by myself. For a complete boot I currently need three passwords, all adding a different kind of protection:

  1. The BIOS/UEFI boot password: In case the hardware gets stolen, the thief has a harder time using it.
  2. The passphrase for my encrypted ZFS root dataset: In case someone has physical access to the hardware and removes the storage, the data is still protected.
  3. The password for my user account that unlocks my desktop session and the desktop keyring (Gnome keyring / KWallet). Starting the session without password would already be possible, but then the desktop keyring would have to be (1) unlocked separately, (2) having an empty password, or (3) the password must be stored somewhere on disk. The first option provides no real benefit and the latter two are not ideal security-wise since they make it easier for malicious applications to steal the keyring contents. Caching the zfs encryption passphrase for 2.5 minutes in the kernel is a much smaller risk, because it is accessibly by root only and only for a short period of time.

With the addition of --keyname and the use of pam_systemd_loadkey, only two passwords are required, without giving up much security. Especially since the first two passwords (BIOS/UEFI and ZFS encryption) are queried early in the boot procedure, I can prepare other stuff while my system services take their time to start up and then without any further interaction also the user autostart applications can load.
@SebastianS90 SebastianS90 added the Type: Feature Feature request or new feature label Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Feature Feature request or new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SebastianS90