New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support wrapping a file system under LUKS #54494
Conversation
See: 47808d8b7d8
Oh, one thing to note: I'm not 100% sure, but I strongly suspect that having the filesystem with the LUKS header where the passphrase is simply PASSPHRASE will allow accessing the encrypted data even after the passphrase has been changed, simply by using the old header. This is probably worth a mention in the PR. |
A brief conversation on ##nixos@irc.freenode.net and NixOS/nixpkgs#54494 (comment) pointed out that having a temporary passphrase is insecure. This commit allows two things: a) For the security-critical people to call wrap-luks outside of Nix, this requires additional machinery to feed the output back into Nix; and b) Using .overrideDerivation on the derivation to change the default passphrase.
@lheckemann Thanks! I'll get back to this PR soon. |
Using overrideDerivation isn't any more secure than using a temporary passphrase, as anyone with access to the store can just get the passphrase from the drv. It's not critically broken, it just needs to be clear that this is not safe to use on stores which untrusted parties have access to. |
Are there any updates on this pull request, please? |
@adrianparvino would you be opposed to closing this? As we've discussed (also on IRC), there's not really a way to make this work really securely and usefully. |
Hi. Not at all. I agree that this should also be closed. Please do keep the
other PR though.
…On Tue, Aug 20, 2019, 3:43 PM Linus Heckemann ***@***.***> wrote:
@adrianparvino <https://github.com/adrianparvino> would you be opposed to
closing this? As we've discussed (also on IRC), there's not really a way to
make this work really securely and usefully.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#54494?email_source=notifications&email_token=AGAEEU47KBLMIRL3ELNLYCTQFOOAPA5CNFSM4GRZ3PYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4VMDGY#issuecomment-522895771>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGAEEU7GBU2JK3KXDEHATQTQFOOAPANCNFSM4GRZ3PYA>
.
|
I'm not sure I fully understand the original intent, but what about building an image with some encrypted partition where the passphrase is supplied with |
Motivation for this change
Produces a luks-encrypted image to be mounted by #53600
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)