elaexuo...@wilsonb.com writes: > Anyway, is there a straightforward way to configure a mapping device for LUKS > with a detached header? Otherwise, what's the best way to go about passing > command line options to the initrd cryptsetup call? > > For a little context, I like my drive to look just like random data to a third > party; however, the precence of a LUKS header pretty much defeats plausible > deniability of hosting encrypted data. Thus, detached headers. > > To that end, with my current non-guix setup, I have /boot and grub sitting on > an external drive, with dracut shoving the LUKS header in the initrd. Then > crypttab references said header, so the initrd cryptsetup call Just Works TM.
I'm not sure. On your non-Guix setup, the crypttab exists in the initrd, right? And that initrd exists in the /boot directory on the external drive, right? Have you looked into how you can customize the initrd in Guix? It's described in the "Initial RAM Disk" section of the manual: https://guix.gnu.org/manual/en/html_node/Initial-RAM-Disk.html#Initial-RAM-Disk If I understand your non-Guix configuration right, it sounds like you put the initrd on the external drive. Guix normally installs the initrd into the store, and then adds to the Grub configuration file a reference to the initrd in the store, like this: menuentry "GNU with Linux-Libre 5.1.2 (#1, 2019-09-13 22:12)" { search --label --set root linux /gnu/store/mmnl20fg05w8gzzsp4d8dvagmdn1vjil-linux-libre-5.1.2/bzImage --root=root --system=/var/guix/profiles/system-1-link --load=/var/guix/profiles/system-1-link/boot quiet initrd /gnu/store/af8h57i9h77r5q9djvviyy4s2gfbnwq8-raw-initrd/initrd.cpio.gz } So, it might be a little tricky to convince Guix to do the right thing for your use case. Also, I think Grub has the ability to read LUKS volumes, but I'm not sure how to configure it. If you figure out a configuration that works, please do share it! Hopefully something in my email is helpful to you. -- Chris
signature.asc
Description: PGP signature
