bcachefs-tools icon indicating copy to clipboard operation
bcachefs-tools copied to clipboard

Published 20 hours ago verified publisher icon koverstreet

Add passphrase_file to mount options

Open donmor opened this issue 10 months ago • 5 comments

Based on #241 .

Add passphrase_file to mount options. Can be specified in -o or /etc/fstab, making it possible to mount encrypted bcachefs partitions as root.

Kept -f, --passphrase-file for compatibility.

Also include a patch to bcachefs.8.

donmor avatar Apr 13 '24 09:04 donmor

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

koverstreet avatar Apr 13 '24 23:04 koverstreet

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

We can use encrypted bcachefs partition as root (by puttinng a key file as well as fstab with this option in initrd, tested with dracut).

donmor avatar Apr 14 '24 01:04 donmor

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

onny avatar Apr 25 '24 10:04 onny

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

I think stratis has 2 options for unattended decryption.

  1. Network Bound Drive Encryption (NBDE) which requires a Tang server
  2. Bind the storage to the Trusted Platform Module (TPM 2.0)

I don' know much about these 2 options and what pros/cons they have or ultimately how secure they are.

Are you only concerned with someone taking an external drive and not the entire server and external drives? I think it might be helpful for you to elaborate on what your goals are. I'm having a hard time understanding the value of encrypting your data when the key is sitting in the initrd etc.

tasleson avatar Apr 26 '24 01:04 tasleson

I think stratis has 2 options for unattended decryption.

1. Network Bound Drive Encryption (NBDE) which requires a Tang server

2. Bind the storage to the Trusted Platform Module (TPM 2.0)

My understanding of the threat model for (2) is:

  • You're measuring boot state into the TPM, so EFI guarantees that the kernel, initramfs, and kernel command line¹ are known, trusted, and required to unlock the filesystem
  • You trust the base system to require password authentication

Given those, the major difference between TPM and requiring a passphrase to unlock is that TPM exposes you to physical attacks against the running machine (intercepting the bus between the TPM and CPU, moving RAM to a second machine while preserving state via LN cooling, etc)

¹: No init=/bin/sh!

RAOF avatar Apr 26 '24 02:04 RAOF

#266 Recreated this patch since cmd_mount.rs is renamed, causing conflicts.

donmor avatar May 14 '24 02:05 donmor