Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix/auto-luks.nix: remove reference to auto-generated passphrase #991

Closed
wants to merge 1 commit into from
Closed

nix/auto-luks.nix: remove reference to auto-generated passphrase #991

wants to merge 1 commit into from

Conversation

eqyiel
Copy link

@eqyiel eqyiel commented Aug 19, 2018

If this feature exists, it doesn't work right now due to the assertion here:

nixops/nix/auto-luks.nix

Line 102 in cf47cfd

in assert attrs.passphrase != ""; nameValuePair "cryptsetup-${name}"

@eqyiel
nix/auto-luks.nix: remove reference to auto-generated passphrase
eaa3b1f 
If this feature exists, it doesn't work due to the assertion in this file.
@AmineChikhaoui
Copy link
Member

This feature exists and does work properly, the nixops backends (python parts) takes care of generating the passphrases and creating the physical spec with the appropriate block device mappings + passphrases. In EC2 backend for example setting encrypt = true; in the filesystem config will trigger the generation of a passphrase.

@eqyiel
Copy link
Author

eqyiel commented Aug 20, 2018

@AmineChikhaoui thanks for pointing out that there's a difference between deployment.autoLuks.<name>.passphrase and fileSystems.*.ec2.passphrase.

If I understand you correctly, I should be using fileSystems.*.ec2 instead of editing deployment.autoLuks.<name>.* directly (because it gets passed there anyway)?

nixops/nix/ec2.nix

Lines 465 to 472 in cf47cfd

deployment.autoLuks =
let
f = name: dev: nameValuePair (baseNameOf name)
{ device = "/dev/${baseNameOf name}";
autoFormat = true;
inherit (dev) cipher keySize passphrase;
};
in mapAttrs' f (filterAttrs (name: dev: dev.encrypt) cfg.blockDeviceMapping);

Even so, I think this change should be made because it's not possible to not set a passphrase if you use deployment.autoLuks.<name> directly.

That, is, this description should not change:

nixops/nix/ec2.nix

Lines 115 to 128 in cf47cfd

passphrase = mkOption {
default = "";
type = types.str;
description = ''
The passphrase (key file) used to decrypt the key to access
the device. If left empty, a passphrase is generated
automatically; this passphrase is lost when you destroy the
machine or remove the volume, unless you copy it from
NixOps's state file. Note that the passphrase is stored in
the Nix store of the instance, so an attacker who gains
access to the EBS volume or instance store that contains the
Nix store can subsequently decrypt the encrypted volume.
'';
};

but this one should:

nixops/nix/auto-luks.nix

Lines 43 to 58 in cf47cfd

passphrase = mkOption {
default = "";
type = types.str;
description = ''
The passphrase (key file) used to decrypt the key to access
the volume. If left empty, a passphrase is generated
automatically; this passphrase is lost when you destroy the
machine or underlying device, unless you copy it from
NixOps's state file. Note that unless
<option>deployment.storeKeysOnMachine</option> is set to
<literal>false</literal>, the passphrase is stored in the
Nix store of the instance, so an attacker who gains access
to the disk containing the store can subsequently decrypt
the encrypted volume.
'';
};

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eqyiel @AmineChikhaoui