[Nix-dev] Smart Card support in initramfs
tsuraan
tsuraan at gmail.com
Wed Aug 13 21:06:48 CEST 2014
I've found the NixOS encrypted root page
(https://nixos.org/wiki/Encrypted_Root_on_NixOS), and set that up.
It's really nice and clean, and I like it. However, my current setup
(running Gentoo) has two complications that I haven't figured out how
to do in Nix. The first is that my luks passphrase is a
randomly-generated file that is gnupg encrypted to a key that only
exists on my smart card. So, that luks command to open the root device
is "gpg2 -d /lukskey | cryptsetup luksOpen --key-file - /dev/sda3
root" instead of the typical luksOpen call. The other fun bit is that
I boot directly from UEFI, so my kernel and initramfs are compiled
into a single unit. This also makes so that the signed kernel includes
the initramfs that's unlocking the encrypted file system.
So, I'm wondering, how can I get gnupg, pcscd, and ccid into a Nix
initramfs, and how can I get the initramfs's init to use gpg in its
luksOpen call? I'm thinking that, from the configuration.nix side, I'd
want to just specify a pgp blob (boot.initrd.luks.encryptedkey =
''-----BEGIN PGP MESSAGE----- ...'') and specify that I want to use a
smart card (boot.initrd.luks.smartcard=true), or something like that.
Where should I look to start hacking?
The other bit is whether the Nix kernel builder can handle
dependencies in its kernelExtraConfig
(kernelExtraConfig="INITRAMFS_SOURCE=\"/boot/initramfs\""), and build
the initramfs before it builds the kernel. I haven't tried that yet,
and I'm actually not even really sure where Nix writes its initramfs
file, so that's something else I'm curious about, I guess.
Thanks in advance!
More information about the nix-dev
mailing list