Thanks for all the tips Bryan. 2015-09-11 16:02 GMT+01:00 Bryan Gardiner <[email protected]>:
> On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote: > > 2015-09-11 15:31 GMT+01:00 Bryan Gardiner <[email protected]>: > > > > > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote: > > > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <[email protected] > >: > > > > > > > > > (Argh, replying to the list this time...) > > > > > > > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <[email protected]>: > > > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: > > > > > [...] > > > > > > > > > > > > How about doing something like: > > > > > > > > > > > > preLVMCommands = > > > > > > let key = builtins.readFile ./keyfile; in > > > > > > "echo '${key}' >/key" > > > > > > > > > > > > > > > > Do note that by doing this, the key will get embedded somewhere in > > > > > /nix/store, with world-readable unix permissions. > > > > > > > > Mhm, that's definitely not cool. I thought it will appear only inside > > > > initrd image :[ > > > > Do you think is there any other way to put this key in initrd? > > > > > > If you don't want it in plain text, you could compress or obfuscate it > > > by any means, then reverse that in the initrd... The > > > extraUtilsCommands method will certainly result in "not simply plain > > > text." Though this is security by obscurity, and I don't know a quick > > > way to truly secure it without having to enter your password an extra > > > time. Nix doesn't support non-world-readable data in the store. > > > > > Thanks for explenation. > > > > > > > > Can Grub pass its unlock password to the initrd? If so, you could > > > decrypt the keyfile with that, and only put an encrypted keyfile in > > > the store. > > > > > Not really, that's why I want to put key inside initrd. Otherwise I could > > decrypt partitions with the pass from grub. > > > > > > > > Or maybe you could restrict non-root users from accessing the initrds > > > in the store via grsec or apparmor. > > > > > Mhm, I see. > > What about putting something into initrd but not adding it to nixstore? > > Do you think is there any initrd hook I can use to add stuff? > > That could work, if you find how the initrd is copied over. Grub > manages to make /boot/grub have 700 permissions, so if you extract + > insert + rebuild the initrd during its installation, and make > /boot/kernels 700 as well? In my readings of nixpkgs/nixos, I haven't > gotten to the bottom of the rabbit hole and found out how nixos > modules *actually* have an effect on the world yet :). > > Cheers, > Bryan > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
