New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/luksroot: add renewKey option #107038
Conversation
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Gonna rebase that, thanks @SuperSandro2000 |
e404431
to
90f6b21
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Add an option to allow to choose if the module should renew the LUKS key header at each boot which may not be neccesary in given cases. Co-authored-by: Hugo Lageneste <hugo.lageneste@visium.ch>
90f6b21
to
01beccd
Compare
do we have any luks users which have verified that this works as intended? Messing with low level partitions is not something I want to "accidentally" break for someone. |
I implemented it and tested it on my encrypted NixOS machine. |
I would really like to have another person verify. Just to avoid the, "works on my machine" possibility |
Please rebase. Whats the command to check if the header was renewed |
I will rebase. |
echo "Warning: Could not update LUKS key, current challenge persists!" | ||
fi | ||
|
||
rm -f /crypt-ramfs/new_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be behind a TRAP?
new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)" | ||
fi | ||
|
||
echo -n "$new_k_luks" | hextorb > /crypt-ramfs/new_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should /crypt-ramfs/new_key
be generated with mktemp
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we proceed with these suggestions in another PR since this one is just to add the renewKey option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idk, because indentation changed this line has a change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes just because of a condition
I am struggling with the rebase which adds thousands of commits in the tree and makes it impossible to retrieve the right ones. Any ideas why? |
What do you mean "retrieve the right ones". What rebase command are you running?
|
/marvin opt-in |
Hi! I'm an experimental bot. My goal is to guide this PR through its stages, hopefully ending with a merge. You can read up on the usage here. |
/status needs_reviewer |
Reminder: Please review! This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually. |
3 similar comments
Reminder: Please review! This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually. |
Reminder: Please review! This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually. |
Reminder: Please review! This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually. |
Thanks to @cgallay for the change.
Motivation for this change
Add an option to allow to choose if the LUKS module should renew the LUKS key header at each boot which may not be necessary in given cases.
It can also be an issue when there is not enough entropy at the boot stage when the LUKS key header is trying to be renewed.
Let the default value as
true
to keep the current behavior whenrenewKey
is not present.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)