Hello Johannes,
Hello,
a side question:
On 2021-01-08 07:36, Chris Murphy wrote:
The kernel and initramfs aren't secrets, don't need to be encrypted.
I wonder if it never can happen that the initramfs contains secrets like whatever private keys or password hashes or things like that?
Chris actually talked about that in his post. If some stage in the boot process in encrypted, the predecessor stage needs the means to retrieve the secrets and decrypt it. And *some* stage in the boot process needs to be unencrypted, so that it can be booted by the HW without prior access to keys or pass phrases. A "small generic initramfs" as suggested by Chris would be one obvious option. Other options would be adding the functionality to the boot loader (grub), or using firmware based encryption / measurement (TXT, anyone? :-). OTOH, retrieving secrets and decrypting almost arbitrary storage isn't a trivial task. Given that there are lots of encryption schemes and many different ideas how to store secrets (pass phrase, USB stick, TPM, yubikey/smart card, biometric devices, and any combinations thereof), it requires a rather large-ish and flexible software stack. From the Linux PoV, this excludes the FW option, because FW lacks the flexibility to support the multitude of different preferences that Linux users have. Chris' small generic initramfs actually looks most promising to me in this regard, if there is really a need to encrypt the actual initramfs. If that small generic file needs to be re-built on a regular basis, the question arises how *this* image would be protected from inclusion of sensitive secrets ... something other than dracut must be used to build it, for sure.
E.g. an admin may need extended functionality in his initramfs so his particular initramfs may contain more things than usual and even unexpected things.
I'd say that an administrator doing things this way is misguided, and would need to take the responsibility for protecting his secrets himself. In general, the initramfs should be minimal, and distros should do their best to enforce or at least encourage that. But I digress.
Furthermore when someone uses LUKS he probably wants to have all and everything encrypted to be completely on the safe side without the need to always think about what gets stored where.
You need to start somewhere. Total encryption is an illusion as long as
you're not using HW/FW based technology. Moreover, if you deal with
highly sensitive material such as secrets to access data, you *ought*
to think about where they get stored. I agree that using full disk
encryption simplifies this, but it's mostly a matter of convenience,
not security. I, for one, have never bothered to encrypt /boot.
Regards,
Martin
--
Dr. Martin Wilck