Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

luksroot: Use keyctl over ramfs #273591

Open
stackcoder opened this issue Dec 11, 2023 · 9 comments
Open

luksroot: Use keyctl over ramfs #273591

stackcoder opened this issue Dec 11, 2023 · 9 comments

Comments

@stackcoder
Copy link

When the option reusePassphrases is activated nixos stores the plaintext passphrase on a ramdisk located at /crypt-ramfs/passphrase. The wohle ramdisk is destoryed using umount later by postCommands. While umount just frees the memory the password might still resists somewhere.

Even if a ramdisk is used here, the Kernel Key Retention Service resp. keyctl is better suited for this purpose. That's how Debian implemented their luks passphrase caching, within mostly two scripts: decrypt_keyctl and cryptdisks-functions.

Compared to the current solution kernel keyring offers advantages:

  • More secure, the kernel handles expiry
  • No explicit and currently missing wipe of the passphrase file neccessary
  • Unlock multiple disks in paralell or disks attached later using systemd units
  • Could be accessible after initrd stage to derive sectrets for other services

What do you think of using keyctl over ramfs for reusePassphrases, should we replace it or add an option? If I would make a PR for this, is there a chance to get it upstream?
@flokli
Copy link
Contributor

flokli commented Dec 11, 2023

How does this relate to systemd-ask-password and friends, which we use at least in the systemd-in-initrd case?

cc @ElvishJerricco @RaitoBezarius

@RaitoBezarius
Copy link
Member

I think the ramfs stuff will disappear as soon as we deprecate the scripted stage 1. So I don't know if this is a good idea to spend time on that.

@NickCao
Copy link
Member

NickCao commented Dec 12, 2023

How does this relate to systemd-ask-password and friends, which we use at least in the systemd-in-initrd case?

systemd-ask-password can cache passwords in the kernel keyring, so potentially related.

@stackcoder
Copy link
Author

@RaitoBezarius Thanks for pointing that out! What will replace the current scripted stage 1, does this mean systemd-in-initrd with systemd-ask-password?

I am curious how the many cases such as yubikey and gpg can be realized without scripting. Is there something I can already switch to or help with instead of patching scripted stage 1?

@ElvishJerricco
Copy link
Contributor

@stackcoder It's likely we'll have to deprecate the old yubikey and gpg things along with scripted stage 1. They're very obscure in terms of implementation anyway. systemd-initrd makes it very easy to use FIDO2 though, so I hope we have most users covered that way.

Anyway, yes, systemd-initrd does already use the kernel keyring for exactly this purpose.

@Joseph-DiGiovanni
Copy link

  • Could be accessible after initrd stage to derive secrets for other services

I'd like to see this PR just for this option really. It would be nice to cache my luks password to unlock my gnome-keyring with auto/biometric login like debian/fedora do.

@stackcoder
Copy link
Author

stackcoder commented Apr 14, 2024
edited
Loading

I've tried to switch to systemd using the boot.initrd.systemd.enable option. Which ended up really annoying:

First boot.initrd.systemd lacks mkMerge or something like that, so nix required me to write my config in a specific order.
Also when I was not supplying the password immediately on time, systemd goes to emergency mode and sucks there forever. In best case, you're still be able to reboot again via ssh. In worst case you'll need physical access to the machine. Maybe some extra config could help - just switching to systemd is completely unusable. Can some one provide a better working full example? Maybe mount option x-systemd.mount-timeout=0 could help.

Sorry but scripted stage 1 is (at least at this time) much more reliable to bring up the system.

@ElvishJerricco
Copy link
Contributor

ElvishJerricco commented Apr 15, 2024
edited
Loading

@stackcoder None of that has anything to do with this issue. But I'll reply briefly and direct you to better places to go for support.

  1. It's not possible for it to "lack mkMerge". That's part of the module system, not part of any individual options. I have no idea what you're talking about with this one. If you can demonstrate what you mean, please open another issue or ask on matrix what's going wrong, because your description is not possible.
  2. The disk timeout problem already has an issue and it has been described at length. I agree it's not ideal, but we're still in search of a solution for this one that isn't just "no disk timeouts" or "everything is after cryptsetup.target", because obviously neither of those is ideal. There are workarounds you can implement for yourself; or actually, the most correct thing to do isn't even a workaround: Use device = "/dev/mapper/foo"; for your LUKS file systems instead of device = "/dev/disk/by-uuid/asdfasdf";.

@stackcoder stackcoder mentioned this issue Apr 23, 2024
Closed
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/unlocking-multiple-luks-devices-with-same-passphrase/45856/13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@flokli @RaitoBezarius @ElvishJerricco @stackcoder @NickCao @Joseph-DiGiovanni @nixos-discourse