[Nix-dev] How to add file to initrd?
Tomasz Czyż
tomasz.czyz at gmail.com
Fri Sep 11 16:39:34 CEST 2015
2015-09-11 15:31 GMT+01:00 Bryan Gardiner <bog at khumba.net>:
> On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>:
> >
> > > (Argh, replying to the list this time...)
> > >
> > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <bog at khumba.net>:
> > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > [...]
> > > >
> > > > How about doing something like:
> > > >
> > > > preLVMCommands =
> > > > let key = builtins.readFile ./keyfile; in
> > > > "echo '${key}' >/key"
> > > >
> > >
> > > Do note that by doing this, the key will get embedded somewhere in
> > > /nix/store, with world-readable unix permissions.
> >
> > Mhm, that's definitely not cool. I thought it will appear only inside
> > initrd image :[
> > Do you think is there any other way to put this key in initrd?
>
> If you don't want it in plain text, you could compress or obfuscate it
> by any means, then reverse that in the initrd... The
> extraUtilsCommands method will certainly result in "not simply plain
> text." Though this is security by obscurity, and I don't know a quick
> way to truly secure it without having to enter your password an extra
> time. Nix doesn't support non-world-readable data in the store.
>
Thanks for explenation.
>
> Can Grub pass its unlock password to the initrd? If so, you could
> decrypt the keyfile with that, and only put an encrypted keyfile in
> the store.
>
Not really, that's why I want to put key inside initrd. Otherwise I could
decrypt partitions with the pass from grub.
>
> Or maybe you could restrict non-root users from accessing the initrds
> in the store via grsec or apparmor.
>
Mhm, I see.
What about putting something into initrd but not adding it to nixstore?
Do you think is there any initrd hook I can use to add stuff?
Tom
>
> Cheers,
> Bryan
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
--
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150911/3f742fd4/attachment.html
More information about the nix-dev
mailing list