Re: [Nix-dev] How to add file to initrd?

Fri, 11 Sep 2015 07:40:04 -0700 

2015-09-11 15:31 GMT+01:00 Bryan Gardiner <b...@khumba.net>:

> On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkky...@iki.fi>:
> >
> > > (Argh, replying to the list this time...)
> > >
> > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <b...@khumba.net>:
> > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > [...]
> > > >
> > > > How about doing something like:
> > > >
> > > >     preLVMCommands =
> > > >       let key = builtins.readFile ./keyfile; in
> > > >       "echo '${key}' >/key"
> > > >
> > >
> > > Do note that by doing this, the key will get embedded somewhere in
> > > /nix/store, with world-readable unix permissions.
> >
> > Mhm, that's definitely not cool. I thought it will appear only inside
> > initrd image :[
> > Do you think is there any other way to put this key in initrd?
>
> If you don't want it in plain text, you could compress or obfuscate it
> by any means, then reverse that in the initrd...  The
> extraUtilsCommands method will certainly result in "not simply plain
> text."  Though this is security by obscurity, and I don't know a quick
> way to truly secure it without having to enter your password an extra
> time.  Nix doesn't support non-world-readable data in the store.
>
Thanks for explenation.

>
> Can Grub pass its unlock password to the initrd?  If so, you could
> decrypt the keyfile with that, and only put an encrypted keyfile in
> the store.
>
Not really, that's why I want to put key inside initrd. Otherwise I could
decrypt partitions with the pass from grub.

>
> Or maybe you could restrict non-root users from accessing the initrds
> in the store via grsec or apparmor.
>
Mhm, I see.
What about putting something into initrd but not adding it to nixstore?
Do you think is there any initrd hook I can use to add stuff?

Tom

>
> Cheers,
> Bryan
>
> _______________________________________________
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż

_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Reply via email to