koverstreet / bcachefs-tools

http://bcachefs.org
GNU General Public License v2.0
123 stars 90 forks source link

Add passphrase_file to mount options #253

Closed donmor closed 5 months ago

donmor commented 6 months ago

Based on #241 .

Add passphrase_file to mount options. Can be specified in -o or /etc/fstab, making it possible to mount encrypted bcachefs partitions as root.

Kept -f, --passphrase-file for compatibility.

Also include a patch to bcachefs.8.

koverstreet commented 6 months ago

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

donmor commented 6 months ago

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

We can use encrypted bcachefs partition as root (by puttinng a key file as well as fstab with this option in initrd, tested with dracut).

onny commented 6 months ago

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

tasleson commented 6 months ago

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

I think stratis has 2 options for unattended decryption.

  1. Network Bound Drive Encryption (NBDE) which requires a Tang server
  2. Bind the storage to the Trusted Platform Module (TPM 2.0)

I don' know much about these 2 options and what pros/cons they have or ultimately how secure they are.

Are you only concerned with someone taking an external drive and not the entire server and external drives? I think it might be helpful for you to elaborate on what your goals are. I'm having a hard time understanding the value of encrypting your data when the key is sitting in the initrd etc.

RAOF commented 6 months ago

I think stratis has 2 options for unattended decryption.

1. Network Bound Drive Encryption (NBDE) which requires a Tang server

2. Bind the storage to the Trusted Platform Module (TPM 2.0)

My understanding of the threat model for (2) is:

Given those, the major difference between TPM and requiring a passphrase to unlock is that TPM exposes you to physical attacks against the running machine (intercepting the bus between the TPM and CPU, moving RAM to a second machine while preserving state via LN cooling, etc)

¹: No init=/bin/sh!

donmor commented 5 months ago

266 Recreated this patch since cmd_mount.rs is renamed, causing conflicts.