Hi, some...@selfhosted.xyz skribis:
> Someone might have better suggestions but until then here's my > thoughts on it: > > There's some step-by-step instructions for setting up a grub-password > and then setting a path to a luks keyfile in grub on a system using > Libreboot and Parabola here: > https://wiki.selfhosted.xyz/doku.php?id=it:computer_setup:encrypted_parabola_installation_guide#boot_configuration > > This could possibly be adapted to GuixSD. In short the steps involved > (without setting up grub's password authentication) are: > > -generate key and add to your luksdrive > dd bs=512 count=4 if=/dev/urandom of=/etc/my_cryptkey iflag=fullblock > cryptsetup luksAddKey /dev/sda1 /etc/my_cryptkey > -Regenerate initramfs (using the mkinitcpio bash-script) > zile /etc/mkinitcpio.conf > FILES="/etc/my_cryptkey" > mkinitcpio -p linux-libre (or linux-libre-lts or linux-libre-grsec or all > of them) > -Then add a configuration line to your grub config's default > menu-entry on the linux-line: > linux /boot .... cryptkey=rootfs:/etc/my_cryptkey > > For details on setting up the password etc see the link above. Adding the cryptsetup passphrase in a file in the initrd is doable (with the initrd living on the encrypted file system). Sounds like a good idea that we could implement in GuixSD (although care must be taken not to store the passphrase file in the store.) Thanks, Ludo’.
