[Nix-dev] How to add file to initrd?
Bryan Gardiner
bog at khumba.net
Fri Sep 11 16:31:00 CEST 2015
On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>:
>
> > (Argh, replying to the list this time...)
> >
> > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <bog at khumba.net>:
> > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > [...]
> > >
> > > How about doing something like:
> > >
> > > preLVMCommands =
> > > let key = builtins.readFile ./keyfile; in
> > > "echo '${key}' >/key"
> > >
> >
> > Do note that by doing this, the key will get embedded somewhere in
> > /nix/store, with world-readable unix permissions.
>
> Mhm, that's definitely not cool. I thought it will appear only inside
> initrd image :[
> Do you think is there any other way to put this key in initrd?
If you don't want it in plain text, you could compress or obfuscate it
by any means, then reverse that in the initrd... The
extraUtilsCommands method will certainly result in "not simply plain
text." Though this is security by obscurity, and I don't know a quick
way to truly secure it without having to enter your password an extra
time. Nix doesn't support non-world-readable data in the store.
Can Grub pass its unlock password to the initrd? If so, you could
decrypt the keyfile with that, and only put an encrypted keyfile in
the store.
Or maybe you could restrict non-root users from accessing the initrds
in the store via grsec or apparmor.
Cheers,
Bryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150911/1e6eff55/attachment.bin
More information about the nix-dev
mailing list