subject:"\[Nix\-dev\] How to add file to initrd\?"

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tuomas Tynkkynen

2015-09-11 15:05 GMT+03:00 Tomasz Czyż :
>

>
> Mhm, that's definitely not cool. I thought it will appear only inside initrd
> image :[

A copy of the initrd is always kept in /nix/store, but also the .drv file and
potentially any generated scripts (for building the initrd) might
contain the key.

> Do you think is there any other way to put this key in initrd?

GRUB supports loading multiple initrd images at once. For example,
on Arch Linux the generated grub.cfg contains this:

menuentry 'Arch Linux' --class arch --class gnu-linux /* etc. */ {
# ...
initrd /boot/intel-ucode.img /boot/initramfs-linux.img
}

So one approach would be to create a initrd with just the keyfile
(outside Nix), place it on the /boot partition, and then somehow
make the grub.cfg generator emit the proper initrd line(s).
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tomasz Czyż

2015-09-11 19:03 GMT+01:00 Tuomas Tynkkynen :

> 2015-09-11 15:05 GMT+03:00 Tomasz Czyż :
> >
>
> >
> > Mhm, that's definitely not cool. I thought it will appear only inside
> initrd
> > image :[
>
> A copy of the initrd is always kept in /nix/store, but also the .drv file
> and
> potentially any generated scripts (for building the initrd) might
> contain the key.
>
> > Do you think is there any other way to put this key in initrd?
>
> GRUB supports loading multiple initrd images at once. For example,
> on Arch Linux the generated grub.cfg contains this:
>
> menuentry 'Arch Linux' --class arch --class gnu-linux /* etc. */ {
> # ...
> initrd /boot/intel-ucode.img /boot/initramfs-linux.img
> }
>
> So one approach would be to create a initrd with just the keyfile
> (outside Nix), place it on the /boot partition, and then somehow
> make the grub.cfg generator emit the proper initrd line(s).
>
wow, I was not aware that stuff is even possible. I have to read more about
how to access stuff from the other initrd.

Btw, I search through /nix/store and the key copied with "echp ${key} >
/key" is not there, so probably it's only inside a script, which is still
bad.

Thanks a lot.
Tom
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tomasz Czyż

2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen :

> (Argh, replying to the list this time...)
>
> 2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> [...]
> >
> > How about doing something like:
> >
> > preLVMCommands =
> >   let key = builtins.readFile ./keyfile; in
> >   "echo '${key}' >/key"
> >
>
> Do note that by doing this, the key will get embedded somewhere in
> /nix/store, with world-readable unix permissions.
>
Mhm, that's definitely not cool. I thought it will appear only inside
initrd image :[
Do you think is there any other way to put this key in initrd?

> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>



-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tuomas Tynkkynen

(Argh, replying to the list this time...)

2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
[...]
>
> How about doing something like:
>
> preLVMCommands =
>   let key = builtins.readFile ./keyfile; in
>   "echo '${key}' >/key"
>

Do note that by doing this, the key will get embedded somewhere in
/nix/store, with world-readable unix permissions.
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Bryan Gardiner

On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote:
> 2015-09-11 15:31 GMT+01:00 Bryan Gardiner :
> 
> > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen :
> > >
> > > > (Argh, replying to the list this time...)
> > > >
> > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > > [...]
> > > > >
> > > > > How about doing something like:
> > > > >
> > > > > preLVMCommands =
> > > > >   let key = builtins.readFile ./keyfile; in
> > > > >   "echo '${key}' >/key"
> > > > >
> > > >
> > > > Do note that by doing this, the key will get embedded somewhere in
> > > > /nix/store, with world-readable unix permissions.
> > >
> > > Mhm, that's definitely not cool. I thought it will appear only inside
> > > initrd image :[
> > > Do you think is there any other way to put this key in initrd?
> >
> > If you don't want it in plain text, you could compress or obfuscate it
> > by any means, then reverse that in the initrd...  The
> > extraUtilsCommands method will certainly result in "not simply plain
> > text."  Though this is security by obscurity, and I don't know a quick
> > way to truly secure it without having to enter your password an extra
> > time.  Nix doesn't support non-world-readable data in the store.
> >
> Thanks for explenation.
> 
> >
> > Can Grub pass its unlock password to the initrd?  If so, you could
> > decrypt the keyfile with that, and only put an encrypted keyfile in
> > the store.
> >
> Not really, that's why I want to put key inside initrd. Otherwise I could
> decrypt partitions with the pass from grub.
> 
> >
> > Or maybe you could restrict non-root users from accessing the initrds
> > in the store via grsec or apparmor.
> >
> Mhm, I see.
> What about putting something into initrd but not adding it to nixstore?
> Do you think is there any initrd hook I can use to add stuff?

That could work, if you find how the initrd is copied over.  Grub
manages to make /boot/grub have 700 permissions, so if you extract +
insert + rebuild the initrd during its installation, and make
/boot/kernels 700 as well?  In my readings of nixpkgs/nixos, I haven't
gotten to the bottom of the rabbit hole and found out how nixos
modules *actually* have an effect on the world yet :).

Cheers,
Bryan


pgpKBcKw7T2f3.pgp
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tomasz Czyż

2015-09-11 15:31 GMT+01:00 Bryan Gardiner :

> On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen :
> >
> > > (Argh, replying to the list this time...)
> > >
> > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > [...]
> > > >
> > > > How about doing something like:
> > > >
> > > > preLVMCommands =
> > > >   let key = builtins.readFile ./keyfile; in
> > > >   "echo '${key}' >/key"
> > > >
> > >
> > > Do note that by doing this, the key will get embedded somewhere in
> > > /nix/store, with world-readable unix permissions.
> >
> > Mhm, that's definitely not cool. I thought it will appear only inside
> > initrd image :[
> > Do you think is there any other way to put this key in initrd?
>
> If you don't want it in plain text, you could compress or obfuscate it
> by any means, then reverse that in the initrd...  The
> extraUtilsCommands method will certainly result in "not simply plain
> text."  Though this is security by obscurity, and I don't know a quick
> way to truly secure it without having to enter your password an extra
> time.  Nix doesn't support non-world-readable data in the store.
>
Thanks for explenation.

>
> Can Grub pass its unlock password to the initrd?  If so, you could
> decrypt the keyfile with that, and only put an encrypted keyfile in
> the store.
>
Not really, that's why I want to put key inside initrd. Otherwise I could
decrypt partitions with the pass from grub.

>
> Or maybe you could restrict non-root users from accessing the initrds
> in the store via grsec or apparmor.
>
Mhm, I see.
What about putting something into initrd but not adding it to nixstore?
Do you think is there any initrd hook I can use to add stuff?

Tom

>
> Cheers,
> Bryan
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Bryan Gardiner

On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen :
> 
> > (Argh, replying to the list this time...)
> >
> > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > [...]
> > >
> > > How about doing something like:
> > >
> > > preLVMCommands =
> > >   let key = builtins.readFile ./keyfile; in
> > >   "echo '${key}' >/key"
> > >
> >
> > Do note that by doing this, the key will get embedded somewhere in
> > /nix/store, with world-readable unix permissions.
> 
> Mhm, that's definitely not cool. I thought it will appear only inside
> initrd image :[
> Do you think is there any other way to put this key in initrd?

If you don't want it in plain text, you could compress or obfuscate it
by any means, then reverse that in the initrd...  The
extraUtilsCommands method will certainly result in "not simply plain
text."  Though this is security by obscurity, and I don't know a quick
way to truly secure it without having to enter your password an extra
time.  Nix doesn't support non-world-readable data in the store.

Can Grub pass its unlock password to the initrd?  If so, you could
decrypt the keyfile with that, and only put an encrypted keyfile in
the store.

Or maybe you could restrict non-root users from accessing the initrds
in the store via grsec or apparmor.

Cheers,
Bryan

pgpJfPUIow3dc.pgp
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-11 Thread Tomasz Czyż

Thanks for all the tips Bryan.

2015-09-11 16:02 GMT+01:00 Bryan Gardiner :

> On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote:
> > 2015-09-11 15:31 GMT+01:00 Bryan Gardiner :
> >
> > > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen  >:
> > > >
> > > > > (Argh, replying to the list this time...)
> > > > >
> > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner :
> > > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > > > [...]
> > > > > >
> > > > > > How about doing something like:
> > > > > >
> > > > > > preLVMCommands =
> > > > > >   let key = builtins.readFile ./keyfile; in
> > > > > >   "echo '${key}' >/key"
> > > > > >
> > > > >
> > > > > Do note that by doing this, the key will get embedded somewhere in
> > > > > /nix/store, with world-readable unix permissions.
> > > >
> > > > Mhm, that's definitely not cool. I thought it will appear only inside
> > > > initrd image :[
> > > > Do you think is there any other way to put this key in initrd?
> > >
> > > If you don't want it in plain text, you could compress or obfuscate it
> > > by any means, then reverse that in the initrd...  The
> > > extraUtilsCommands method will certainly result in "not simply plain
> > > text."  Though this is security by obscurity, and I don't know a quick
> > > way to truly secure it without having to enter your password an extra
> > > time.  Nix doesn't support non-world-readable data in the store.
> > >
> > Thanks for explenation.
> >
> > >
> > > Can Grub pass its unlock password to the initrd?  If so, you could
> > > decrypt the keyfile with that, and only put an encrypted keyfile in
> > > the store.
> > >
> > Not really, that's why I want to put key inside initrd. Otherwise I could
> > decrypt partitions with the pass from grub.
> >
> > >
> > > Or maybe you could restrict non-root users from accessing the initrds
> > > in the store via grsec or apparmor.
> > >
> > Mhm, I see.
> > What about putting something into initrd but not adding it to nixstore?
> > Do you think is there any initrd hook I can use to add stuff?
>
> That could work, if you find how the initrd is copied over.  Grub
> manages to make /boot/grub have 700 permissions, so if you extract +
> insert + rebuild the initrd during its installation, and make
> /boot/kernels 700 as well?  In my readings of nixpkgs/nixos, I haven't
> gotten to the bottom of the rabbit hole and found out how nixos
> modules *actually* have an effect on the world yet :).
>
> Cheers,
> Bryan
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

2015-09-09 7:03 GMT+01:00 Bryan Gardiner :

> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > Hi,
> >
> > Continuation of this thread:
> >
> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880
> >
> > I already successfully set up crypted partitions for mdadm and for zfs.
> The
> > system is mounting them properly with standard nixos configuration using
> > ``boot.initrd.luks`` configs.
> >
> > But for each mount I have to pass password/key. I thought I can put keys
> > for all partitions to initrd as initrd is on encrypted boot partition
> > (boot). The process would be like:
> > * enter password for grub
> > * grub loads initrd
> > * initrd unlocks all other partitions
> >
> > Currently it works for me in very strange way.
> > I am using preLVMCommands option with "echo 'mykey' > /key".
> > I don't like it because I cannot keep my configuration on git somewhere
> > cause it expose my passwords.
>
> How about doing something like:
>
> preLVMCommands =
>   let key = builtins.readFile ./keyfile; in
>   "echo '${key}' >/key"
>
> then putting keyfile in gitignore?
>
Thanks Bryan,

looks like good trick :-) I'm new to nix, I didn't even thought about that
stuff, cheers!

Tom

>
> - Bryan
>
> > Is there any way to add key files to initrd? (I found some "extra"
> options
> > for boot partition but not for initrd, maybe there are some hooks I'm not
> > aware of)
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

Thank you, I'll try.
I couldn't find this in docs, it's kind of undocumented feature or I just
was not looking carefully?

Tom

2015-09-09 5:59 GMT+01:00 :

> On Tuesday, September 08, 2015 20:09:16 Tomasz Czyż wrote:
>
> > Is there any way to add key files to initrd? (I found some "extra"
> options
>
> > for boot partition but not for initrd, maybe there are some hooks I'm not
>
> > aware of)
>
>
>
> boot.initrd.extraUtilsCommands looks like a good match.
>
>
>
> -- Evgeny
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Bryan Gardiner

On Thu, Sep 10, 2015 at 09:18:38AM +0100, Tomasz Czyż wrote:
> Thank you, I'll try.
> I couldn't find this in docs, it's kind of undocumented feature or I just
> was not looking carefully?

It has internal = true; set on the declaration in
nixpkgs/nixos/modules/system/boot/stage-1.nix, probably why it doesn't
show up in the manual.

- Bryan


pgpajU1yp_UQ4.pgp
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

2015-09-10 16:27 GMT+01:00 Bryan Gardiner :

> On Thu, Sep 10, 2015 at 09:18:38AM +0100, Tomasz Czyż wrote:
> > Thank you, I'll try.
> > I couldn't find this in docs, it's kind of undocumented feature or I just
> > was not looking carefully?
>
> It has internal = true; set on the declaration in
> nixpkgs/nixos/modules/system/boot/stage-1.nix, probably why it doesn't
> show up in the manual.
>

Thanks for clarification.

Tom

>
> - Bryan
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

Permission denied – if I try use /key.

2015-09-10 21:58 GMT+01:00 Bryan Gardiner :

> On Thu, Sep 10, 2015 at 09:22:13PM +0100, Tomasz Czyż wrote:
> > I have a problem with this method as you cannot copy the file outside
> > extras tree.
> >
> > I used:
> >
> >''cp /my.key $out/key" - the final file is in /nix/store/X/here
> > (hard to access, if hash will change this stuff stop work.
> >
> >"cp /my.key $out/../../key" or "cp /my.key /key" doesn't work,
> > permission error, so I cannot put key in the root of initrd.
>
> I don't have encrypted boot going myself...  I'm passing on a reply I
> got off-list from Leroy (bcc'ed, thanks, hope you don't mind), whose
> config works using boot.initrd.extraUtilsCommands:
>
> On Wed, Sep 09, 2015 at 07:40:21PM +1200, Leroy Hopson wrote:
> > Hi Bryan,
> >
> > I have a similar setup. I'm using `boot.initrd.extraUtilsCommands` as
> > Evygeny suggested.
> >
> > Here is a link to the relevant section of my configuration:
> >
> https://github.com/lihop/nixos/blob/7b1b0a7fd4396713573c35368791e32843feb957/devices/desktop.nix#L59-L72
> >
> > Regards,
> > Leroy
>
> He's putting the keyfile in the initrd's /bin, then I suspect that
> $PATH is only "/bin" in his keyFile = ...; arguments.  If that's the
> case, then with your first cp command above, your keyfile should
> simply be at "/key" in your initrd, no need to know the hash.
>
> Cheers,
> Bryan
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

I have a problem with this method as you cannot copy the file outside
extras tree.

I used:

   ''cp /my.key $out/key" - the final file is in /nix/store/X/here
(hard to access, if hash will change this stuff stop work.
   "cp /my.key $out/../../key" or "cp /my.key /key" doesn't work,
permission error, so I cannot put key in the root of initrd.

Tom

2015-09-09 5:59 GMT+01:00 :

> On Tuesday, September 08, 2015 20:09:16 Tomasz Czyż wrote:
>
> > Is there any way to add key files to initrd? (I found some "extra"
> options
>
> > for boot partition but not for initrd, maybe there are some hooks I'm not
>
> > aware of)
>
>
>
> boot.initrd.extraUtilsCommands looks like a good match.
>
>
>
> -- Evgeny
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>

-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-10 Thread Tomasz Czyż

2015-09-10 9:19 GMT+01:00 Tomasz Czyż :

>
>
> 2015-09-09 7:03 GMT+01:00 Bryan Gardiner :
>
>> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
>> > Hi,
>> >
>> > Continuation of this thread:
>> >
>> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880
>> >
>> > I already successfully set up crypted partitions for mdadm and for zfs.
>> The
>> > system is mounting them properly with standard nixos configuration using
>> > ``boot.initrd.luks`` configs.
>> >
>> > But for each mount I have to pass password/key. I thought I can put keys
>> > for all partitions to initrd as initrd is on encrypted boot partition
>> > (boot). The process would be like:
>> > * enter password for grub
>> > * grub loads initrd
>> > * initrd unlocks all other partitions
>> >
>> > Currently it works for me in very strange way.
>> > I am using preLVMCommands option with "echo 'mykey' > /key".
>> > I don't like it because I cannot keep my configuration on git somewhere
>> > cause it expose my passwords.
>>
>> How about doing something like:
>>
>> preLVMCommands =
>>   let key = builtins.readFile ./keyfile; in
>>   "echo '${key}' >/key"
>>
>> then putting keyfile in gitignore?
>>
> Thanks Bryan,
>
> looks like good trick :-) I'm new to nix, I didn't even thought about that
> stuff, cheers!
>
> Tom
>
To sum up. This method works pretty well as long as you do "echo -n" so it
won't add new line at the end of your key. But the method is not the best
as if there any problem inside the script, the content of the file is
printed on the screen (during the boot process). Not problem for me as I'm
using boot partition encription, but it's kind of concert. Anyway thanks
for sharing this tip!.


>
>> - Bryan
>>
>> > Is there any way to add key files to initrd? (I found some "extra"
>> options
>> > for boot partition but not for initrd, maybe there are some hooks I'm
>> not
>> > aware of)
>>
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
>
>
> --
> Tomasz Czyż
>



-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-09 Thread Bryan Gardiner

On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> Hi,
> 
> Continuation of this thread:
> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880
> 
> I already successfully set up crypted partitions for mdadm and for zfs. The
> system is mounting them properly with standard nixos configuration using
> ``boot.initrd.luks`` configs.
> 
> But for each mount I have to pass password/key. I thought I can put keys
> for all partitions to initrd as initrd is on encrypted boot partition
> (boot). The process would be like:
> * enter password for grub
> * grub loads initrd
> * initrd unlocks all other partitions
> 
> Currently it works for me in very strange way.
> I am using preLVMCommands option with "echo 'mykey' > /key".
> I don't like it because I cannot keep my configuration on git somewhere
> cause it expose my passwords.

How about doing something like:

preLVMCommands =
  let key = builtins.readFile ./keyfile; in
  "echo '${key}' >/key"

then putting keyfile in gitignore?

- Bryan

> Is there any way to add key files to initrd? (I found some "extra" options
> for boot partition but not for initrd, maybe there are some hooks I'm not
> aware of)


pgpI7Lh6NM5O6.pgp
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] How to add file to initrd?

2015-09-08 Thread Tomasz Czyż

Hi,

Continuation of this thread:
http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880

I already successfully set up crypted partitions for mdadm and for zfs. The
system is mounting them properly with standard nixos configuration using
``boot.initrd.luks`` configs.

But for each mount I have to pass password/key. I thought I can put keys
for all partitions to initrd as initrd is on encrypted boot partition
(boot). The process would be like:
* enter password for grub
* grub loads initrd
* initrd unlocks all other partitions

Currently it works for me in very strange way.
I am using preLVMCommands option with "echo 'mykey' > /key".
I don't like it because I cannot keep my configuration on git somewhere
cause it expose my passwords.

Is there any way to add key files to initrd? (I found some "extra" options
for boot partition but not for initrd, maybe there are some hooks I'm not
aware of)

-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

2015-09-08 Thread phreedom

On Tuesday, September 08, 2015 20:09:16 Tomasz 
Czyż wrote:
> Is there any way to add key files to initrd? (I found 
some "extra" options
> for boot partition but not for initrd, maybe there are 
some hooks I'm not
> aware of)

boot.initrd.extraUtilsCommands looks like a good match.

-- Evgeny
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

[Nix-dev] How to add file to initrd?

Re: [Nix-dev] How to add file to initrd?

18 matches

Site Navigation

Mail list logo

Footer information