2015-09-11 15:31 GMT+01:00 Bryan Gardiner <b...@khumba.net>: > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkky...@iki.fi>: > > > > > (Argh, replying to the list this time...) > > > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <b...@khumba.net>: > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > > [...] > > > > > > > > How about doing something like: > > > > > > > > preLVMCommands = > > > > let key = builtins.readFile ./keyfile; in > > > > "echo '${key}' >/key" > > > > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > > /nix/store, with world-readable unix permissions. > > > > Mhm, that's definitely not cool. I thought it will appear only inside > > initrd image :[ > > Do you think is there any other way to put this key in initrd? > > If you don't want it in plain text, you could compress or obfuscate it > by any means, then reverse that in the initrd... The > extraUtilsCommands method will certainly result in "not simply plain > text." Though this is security by obscurity, and I don't know a quick > way to truly secure it without having to enter your password an extra > time. Nix doesn't support non-world-readable data in the store. > Thanks for explenation.
> > Can Grub pass its unlock password to the initrd? If so, you could > decrypt the keyfile with that, and only put an encrypted keyfile in > the store. > Not really, that's why I want to put key inside initrd. Otherwise I could decrypt partitions with the pass from grub. > > Or maybe you could restrict non-root users from accessing the initrds > in the store via grsec or apparmor. > Mhm, I see. What about putting something into initrd but not adding it to nixstore? Do you think is there any initrd hook I can use to add stuff? Tom > > Cheers, > Bryan > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev