| Message ID | 20240422141120.577573-8-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add option to encrypt the rootfs | expand |
On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > doc/README.tpm2.encryption.md | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/doc/README.tpm2.encryption.md > b/doc/README.tpm2.encryption.md > index c5ac6c4..a229d86 100644 > --- a/doc/README.tpm2.encryption.md > +++ b/doc/README.tpm2.encryption.md > @@ -44,6 +44,16 @@ Each entry uses the schema `<partition- > label>:<mountpoint>:<reencrypt or format> > - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting > content of the partition. This reduces the partition by 32MB and the > file system by a similar amount > - `format` creates a empty LUKS partition and creates a file system > defined with the shell command given in > `CRYPT_CREATE_FILE_SYSTEM_CMD` > > +#### Encrypted root file system > + > +To encrypt the root file system the variable `CRYPT_PARTITIONS` > needs to be set to: > +``` > +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt" > +``` > +The mountpoint is empty as the root partition is mounted by another > initramfs service. > +Both partitions are encrypted during first boot. The initramfs opens > systema and systemb > +during boot. Does that mean, the .swu file still contains the unencrypted partitions? Or are these partitions encrypted with a fixed key and re- encrypted on first boot? How are the initial keys distributed? Before documenting the technical details, please document the general deployment model, goals and non-goals, as well as security and confidential guarantees. For me it is currently unclear which kind of problem we want to solve with this approach. Best regards, Felix > + > ### CRYPT_CREATE_FILE_SYSTEM_CMD > > The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to > create a new file system on a newly > @@ -59,7 +69,7 @@ based encryption: > - jq > > ## steps to convert clevis to systemd > -The following script shows how to enroll a systemd-tpm2 token with a > existinng clevis based encryption: > +The following script shows how to enroll a systemd-tpm2 token with a > existing clevis based encryption: > ```bash > export device=/dev/sda6 > export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json- > metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots > | first' | head -n1)
On 4/23/24 11:29 AM, Moessbauer, Felix (T CED OES-DE) wrote: > On Mon, 2024-04-22 at 16:09 +0200, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> doc/README.tpm2.encryption.md | 12 +++++++++++- >> 1 file changed, 11 insertions(+), 1 deletion(-) >> >> diff --git a/doc/README.tpm2.encryption.md >> b/doc/README.tpm2.encryption.md >> index c5ac6c4..a229d86 100644 >> --- a/doc/README.tpm2.encryption.md >> +++ b/doc/README.tpm2.encryption.md >> @@ -44,6 +44,16 @@ Each entry uses the schema `<partition- >> label>:<mountpoint>:<reencrypt or format> >> - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting >> content of the partition. This reduces the partition by 32MB and the >> file system by a similar amount >> - `format` creates a empty LUKS partition and creates a file system >> defined with the shell command given in >> `CRYPT_CREATE_FILE_SYSTEM_CMD` >> >> +#### Encrypted root file system >> + >> +To encrypt the root file system the variable `CRYPT_PARTITIONS` >> needs to be set to: >> +``` >> +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt" >> +``` >> +The mountpoint is empty as the root partition is mounted by another >> initramfs service. >> +Both partitions are encrypted during first boot. The initramfs opens >> systema and systemb >> +during boot. > > Does that mean, the .swu file still contains the unencrypted > partitions? Or are these partitions encrypted with a fixed key and re- > encrypted on first boot? How are the initial keys distributed? We can enable symmetric encryption on the images of the swu. Which are then extracted on the target. This images are still encrypted on first boot. So this this means the device needs to boot in a secure environment. Initial keys almost always leak ;-). > > Before documenting the technical details, please document the general > deployment model, goals and non-goals, as well as security and > confidential guarantees. Sure i will add a section in the README. > > For me it is currently unclear which kind of problem we want to solve > with this approach. > > Best regards, > Felix > >> + >> ### CRYPT_CREATE_FILE_SYSTEM_CMD >> >> The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to >> create a new file system on a newly >> @@ -59,7 +69,7 @@ based encryption: >> - jq >> >> ## steps to convert clevis to systemd >> -The following script shows how to enroll a systemd-tpm2 token with a >> existinng clevis based encryption: >> +The following script shows how to enroll a systemd-tpm2 token with a >> existing clevis based encryption: >> ```bash >> export device=/dev/sda6 >> export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json- >> metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots >> | first' | head -n1) >
diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index c5ac6c4..a229d86 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -44,6 +44,16 @@ Each entry uses the schema `<partition-label>:<mountpoint>:<reencrypt or format> - `reencrypt` uses `cryptsetup reencrypt` to encrypt the exiting content of the partition. This reduces the partition by 32MB and the file system by a similar amount - `format` creates a empty LUKS partition and creates a file system defined with the shell command given in `CRYPT_CREATE_FILE_SYSTEM_CMD` +#### Encrypted root file system + +To encrypt the root file system the variable `CRYPT_PARTITIONS` needs to be set to: +``` +CRYPT_PARTITIONS = "systema::reencrypt systemb::reencrypt" +``` +The mountpoint is empty as the root partition is mounted by another initramfs service. +Both partitions are encrypted during first boot. The initramfs opens systema and systemb +during boot. + ### CRYPT_CREATE_FILE_SYSTEM_CMD The variable `CRYPT_CREATE_FILE_SYSTEM_CMD` contains the command to create a new file system on a newly @@ -59,7 +69,7 @@ based encryption: - jq ## steps to convert clevis to systemd -The following script shows how to enroll a systemd-tpm2 token with a existinng clevis based encryption: +The following script shows how to enroll a systemd-tpm2 token with a existing clevis based encryption: ```bash export device=/dev/sda6 export keyslot=$(sudo cryptsetup luksDump "$device" --dump-json-metadata | jq -c '.tokens.[] | select( .type == "clevis") | .keyslots | first' | head -n1)