On 2020-04-07, Alex Griffin wrote: > On Tue, Apr 7, 2020, at 9:46 AM, Ludovic Courtès wrote: >> The difficulty is that any file traveling through the store is >> world-readable. It’s hard to avoid. > > If we can create the key file outside of the store, then GRUB is capable of > being passed multiple initrds. So we can put the key in its own initrd > (outside of the store), continue to generate the normal initrd in /gnu/store, > and pass both of them to GRUB. The key never enters the store in any way. > > The result is that the user only needs to enter a password into GRUB, because > GRUB then passes the key file to the kernel.
I believe it's also possible for grub to provide the key derived/decrypted from the passphrase entered at run-time, obviating the need for a separate key entirely. I don't have details on how to do this, but I *think* that's what recent Debian installs do... it certainly would simplify key slot management issues. live well, vagrant
signature.asc
Description: PGP signature