EC2: add support encrypted root volume

[edolstra]

It would be pretty neat if the root EBS volume could be encrypted. The use case would be to protect it if the instance is stopped and somebody gains access to its. Since we still want the instance to (re)boot automatically, it could get the LUKS key from the EC2 instance user data. The user data could be cleared when the instance is stopped.

The main problem is that all of this has to be done in the initrd (including network setup to fetch the user data).

[CMCDragonkai]

This site mentions a similar idea at the final thoughts: https://launchbylunch.com/posts/2014/Jan/13/encrypting-docker-on-digitalocean/

[copumpkin]

:+1:

[copumpkin]

It seems like much of the support for this would be on the NixOS side. Do you have more ideas on what this would look like?

[kirelagin]

I was thinking about this a little bit. Not in the context of EC2, but in general.

The idea is to have initrd do the network setup (including some primitive firewall rules?) and start sshd (or telnetd) to obtain the passphrase. Nixops would then push the passphrase by connecting to the server and typing it there.

It is still not great from the paranoid point of view as someone can still plant a bug into our initrd and wait for us to connect and give them the passphrase, but it is still much better than nothing.

[kirelagin]

Wait a second, looks like this is already implemented! NixOS/nixpkgs#10460