Hello fellow Guix users,
I want to decrypt a LUKS-encrypted device from a keyfile that is stored in a USB drive upon boot. The goal of this setup is to have the USB drive act like a key, and the computer cannot be decrypted without it. The process goes something like this:
- Insert USB drive containing keyfile.
- Boot computer.
- USB drive is automatically mounted.
- LUKS volumes are decrypted using the keyfile from the USB.
The Guix manual mentions that this keyfile can be declared in luks-device-mapping as an argument called, #:key-file. However, it does not go into further detail on how to make this file available during boot:
Key file is not stored in the store and needs to be available at the given location at the time of the unlock attempt.
Does anyone have a working configuration? Or can at least point me in the right direction?
Any help would be greatly appreciated.
I recommend taking a look at this page: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
This is probably what you want: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header
Or this: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Plain_dm-crypt
Which describes how to do what you want on Archlinux. You will have to find some of the analogous docs for Guix.
Okay, upon careful reading, it looks like the option you linked might not be what you want. What you might need is to tinker with the initramfs and the bootloader (explanation on archwiki here*) to find the key from the USB.
Guix does have options for the initramfs: https://guix.gnu.org/manual/devel/en/guix.html#Initial-RAM-Disk-1
You may also have to configure kernel parameters via the bootloader: https://guix.gnu.org/manual/devel/en/guix.html#Bootloader-Configuration-1 (but I didn’t see an option for kernel parameters in there.
There is also this for setting kernel parameters: https://guix.gnu.org/manual/devel/en/guix.html#System-Control-Service , but I suspect sysctl is too slow and will activate too late for your needs.
*You should probably read this page if you are unfamiliar with Linux boot process. It works the same on Guix, it’s just configured differently.