Re: Detached LUKS header
Chris Marusich wrote:
> I'm not sure. On your non-Guix setup, the crypttab exists in the
> initrd, right? And that initrd exists in the /boot directory on the
> external drive, right?
Yes. Specifically, I am using dracut to generate the initrd and I believe it is
the crypt module that copies crypttab into the cpio. Similary, dracut.conf
ensures the initrd also contains the luks header file.
> Have you looked into how you can customize the initrd in Guix?
Beautiful. That URL you shared gives me a good starting place. Thank you.
> If you figure out a configuration that works, please do share it!
I sure will! Thank you for taking the time to share your thoughts.
> elaexuo...@wilsonb.com writes:
>
> > Anyway, is there a straightforward way to configure a mapping device for
> > LUKS
> > with a detached header? Otherwise, what's the best way to go about passing
> > command line options to the initrd cryptsetup call?
> >
> > For a little context, I like my drive to look just like random data to a
> > third
> > party; however, the precence of a LUKS header pretty much defeats plausible
> > deniability of hosting encrypted data. Thus, detached headers.
> >
> > To that end, with my current non-guix setup, I have /boot and grub sitting
> > on
> > an external drive, with dracut shoving the LUKS header in the initrd. Then
> > crypttab references said header, so the initrd cryptsetup call Just Works
> > TM.
>
> I'm not sure. On your non-Guix setup, the crypttab exists in the
> initrd, right? And that initrd exists in the /boot directory on the
> external drive, right?
>
> Have you looked into how you can customize the initrd in Guix? It's
> described in the "Initial RAM Disk" section of the manual:
>
> https://guix.gnu.org/manual/en/html_node/Initial-RAM-Disk.html#Initial-RAM-Disk
>
> If I understand your non-Guix configuration right, it sounds like you
> put the initrd on the external drive. Guix normally installs the initrd
> into the store, and then adds to the Grub configuration file a reference
> to the initrd in the store, like this:
>
> menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" {
> search --label --set root
> linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage
> --root=root --system=/var/guix/profiles/system-1-link
> --load=/var/guix/profiles/system-1-link/boot quiet
> initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz
> }
>
> So, it might be a little tricky to convince Guix to do the right thing
> for your use case. Also, I think Grub has the ability to read LUKS
> volumes, but I'm not sure how to configure it.
>
> If you figure out a configuration that works, please do share it!
> Hopefully something in my email is helpful to you.
>
> --
> Chris
signature.asc
Description: application/pgp-encrypted
Re: Detached LUKS header
Nerd away! It is indeed a nifty setup. Unfortunately, I can't point you at a manual, as it's a self-baked solution. I actually ended up patching dracut to get the whole thing working. Happily, upstream merged the patch, so in principle anyone should be able to recreate my current setup. Unfortunately, however, I believe the only documentation is the code itself, as is common with dracut. Anyway, just in case you are insterested, here is an overview of the salient moving pieces in my current setup: 0) Create LUKS volume with detached header; This is easiest when setting up a new volume; just read about the --header option in the cryptsetup(8) manpage. You can actually convert a traditional LUKS volume to a headerless one by copying the header to a file and then erasing the 512 bytes at the offset on your drive where it resides, using dd or whatever. 1) Install GRUB on your USB; This is probably self-explanatory. 2) Make sure your grub.cfg and every path it references is on said USB; In my particular setup, just keeping /boot on the drive is enough. 3) Setup your initrd. This is the trickiest part. There are two parts: a) Get your LUKS header (and key) file into the initrd; and b) Configure cryptsetup in initrd to use the detached header (and key. My current distro (Void Linux) uses dracut, so the above boil down to editing /etc/dracut.conf for a) and /etc/crypttab for b). That said, in retrospect, I believe a better way might be to use GRUB's native ability to decrypt LUKS volumes. This would let us keep /boot in the encrypted drive, so the USB only contains GRUB, grub.cfg, the LUKS headers, and possibly a LUKS key. Anyway, if any of the above was unclear, certainly don't hesitate to ask. Cheers! Joshua Branson wrote: > > I hope you don't mind my nerdy awe, but dang bro! That sounds like an > awesome setup! What manual did you follow on your other distro to set > up your computer like this? I've never thought about having my grub and > /boot on an external usb or drive...but that is pretty interesting! > > -- > Joshua Branson > Sent from Emacs and Gnus signature.asc Description: application/pgp-encrypted
Re: Detached LUKS header
elaexuo...@wilsonb.com writes:
> Anyway, is there a straightforward way to configure a mapping device for LUKS
> with a detached header? Otherwise, what's the best way to go about passing
> command line options to the initrd cryptsetup call?
>
> For a little context, I like my drive to look just like random data to a third
> party; however, the precence of a LUKS header pretty much defeats plausible
> deniability of hosting encrypted data. Thus, detached headers.
>
> To that end, with my current non-guix setup, I have /boot and grub sitting on
> an external drive, with dracut shoving the LUKS header in the initrd. Then
> crypttab references said header, so the initrd cryptsetup call Just Works TM.
I'm not sure. On your non-Guix setup, the crypttab exists in the
initrd, right? And that initrd exists in the /boot directory on the
external drive, right?
Have you looked into how you can customize the initrd in Guix? It's
described in the "Initial RAM Disk" section of the manual:
https://guix.gnu.org/manual/en/html_node/Initial-RAM-Disk.html#Initial-RAM-Disk
If I understand your non-Guix configuration right, it sounds like you
put the initrd on the external drive. Guix normally installs the initrd
into the store, and then adds to the Grub configuration file a reference
to the initrd in the store, like this:
menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" {
search --label --set root
linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage
--root=root --system=/var/guix/profiles/system-1-link
--load=/var/guix/profiles/system-1-link/boot quiet
initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz
}
So, it might be a little tricky to convince Guix to do the right thing
for your use case. Also, I think Grub has the ability to read LUKS
volumes, but I'm not sure how to configure it.
If you figure out a configuration that works, please do share it!
Hopefully something in my email is helpful to you.
--
Chris
signature.asc
Description: PGP signature
Detached LUKS header
Installing GuixSD for the first time. On a ThinkPad T400s, to boot! Anyway, is there a straightforward way to configure a mapping device for LUKS with a detached header? Otherwise, what's the best way to go about passing command line options to the initrd cryptsetup call? For a little context, I like my drive to look just like random data to a third party; however, the precence of a LUKS header pretty much defeats plausible deniability of hosting encrypted data. Thus, detached headers. To that end, with my current non-guix setup, I have /boot and grub sitting on an external drive, with dracut shoving the LUKS header in the initrd. Then crypttab references said header, so the initrd cryptsetup call Just Works TM. If there is a better way to go about setting up a "random noise" drive, I certainly am open to hearing suggestions! At the end of the day, I am just looking for a way to have such a drive under GuixSD. I haven't found anything in the manual, but if I am just missing something obvious, then forgive the spam. Cheers!
