wishlist: disk encryption

Question

wishlist: disk encryption

risicle opened this issue 9 months ago · comments

It would be nice to be able to set up a machine with disk encryption using nixos-infect - particularly in situations where you don't have 100% assurance of the provider's disk-wiping procedure between tenants.

There are obviously a lot of challenges with this. LUKS-based full disk encryption is probably completely out of the question because of the way we start with an existing root filesystem. However I could imagine some mechanism using linux's "fscrypt" native filesystem encryption being possible. For instance it would be quite possible to set an encryption key for the empty /nix directory as it is created. It would be a little trickier for /home and /var but perhaps not impossible.

There would still be a lot of questions about how to provide the key to the instance at boot - NixOS's fscrypt support appears to be pretty basic and existing mechanisms seem to be centered around using pam to provide a user's key at login-time for homedir decryption.

Arguably there may even be some value in encryption when the key is stored on the disk - as long as you have the ability to ensure that region is overwritten before relinquishing the instance.

Eric Litak · Answer 1 · Mon Oct 23 2023 05:14:13 GMT+0800 (China Standard Time)

I agree. I've been meaning to start using fscrypt or ecryptfs in nixos. If you get it working, I'll make an effort to integrate it into the script. As a footnote, the nixos-assimilate project originally intended to kexec to ramdisk and re-partition in situ, which would have made using LUKS easy. It was far more comprehensive, but abandoned a long time ago.

…

On Sun, Oct 22, 2023, 12:59 PM Robert Scott ***@***.***> wrote: It would be nice to be able to set up a machine with disk encryption using nixos-infect - particularly in situations where you don't have 100% assurance of the provider's disk-wiping procedure between tenants. There are obviously a lot of challenges with this. LUKS-based full disk encryption is probably completely out of the question because of the way we start with an existing root filesystem. However I could imagine some mechanism using linux's "fscrypt" native filesystem encryption being possible. For instance it would be quite possible to set an encryption key for the empty /nix directory as it is created. It would be a little trickier for /home and /var but perhaps not impossible. There would still be a lot of questions about how to provide the key to the instance at boot - NixOS's fscrypt support appears to be pretty basic and existing mechanisms seem to be centered around using pam to provide a user's key at login-time for homedir decryption. Arguably there may even be some value in encryption when the key is stored on the disk - as long as you have the ability to ensure that region is overwritten before relinquishing the instance. — Reply to this email directly, view it on GitHub <#175>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAF3YMLEU6B25CXJBRBWWRTYAV3LVAVCNFSM6AAAAAA6LDZBH2VHI2DSMVQWIX3LMV43ASLTON2WKOZRHE2TMMBTGU4DCNQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Robert Scott · Answer 2 · Mon Nov 20 2023 03:49:38 GMT+0800 (China Standard Time)

Did a bit more investigation, and most paths forward seem tricky.

It looks to me like achieving this would need modifications to the upstream lustrate code in stage 1, which probably rules out the hackiest (easiest?) of solutions as there would (quite rightly) be a higher standard expected for acceptance.

One of the awkward aspects comes from how the lustrate process will purge the root fs directory of everything but /nix and /boot, which would cause other dirs to be initialized from-scratch, losing any encryption context given to them by nixos-infect. A possibility would be to introduce a piece of configuration akin to NIXOS_LUSTRATE that listed a set of top-level directories that the boot process should ensure exist and are set to the lustrate-crypt's encryption context.

This would be lacking the elegance of NIXOS_LUSTRATE - which is not needed after the first boot - whereas this would need to be performed on every boot. This is one of those places where nixos' attitude to (parts of) the root filesystem being fairly ephemeral works against us.

Perhaps framing it as a lustrate-related feature at all is unhelpful and perhaps it could be called toplevelFSCrypt, earlyFSCrypt, betterThanNothingFSCrypt.