Do you think it’s possible to have automatic reboot somehow using kexec for decrypting FDE? It would be a really useful NixOS feature in server environments.
1 Like
It’s certainly possible, though I’m not sure how you would do it. You would have to somehow acquire the necessary key, add it to a temporary initrd that’s otherwise the same as your normal one, and use kexec with that initrd instead of your normal one. LUKS makes it possible to extract the real master key from the kernel, but e.g. ZFS doesn’t make this possible for its encryption implementation. You could either ask the user for the necessary keys when they invoke kexec, or store them somewhere safe so they’re always accessible as long as the disk is already decrypted.
So this could be a script which does something like this:
- asks for the key (stdin or file path)
- appends the key to
/nix/var/nix/profiles/system/initrdand stores resultinginitrdin temporary directory - loads
initrdfrom temporary directory via kexec - removes
initrdfile - does kexec
The most non-trivial parts seems to be:
- In step №2
initrdwould need to be decompressed, modified to include the key (by appending a new cpio archive to the end? or isinitrdneeds to be extracted first?) and then recompressed again (is it even necessary for kexec?). - There’s also should be some script in
boot.initrd.postDeviceCommandswhich would read integrated key and do something with it.
Actually initrd can be a concatenated sequence of compressed cpio images, so no need to decompress and modify the original image; just make a totally separate image with what you need and append it. But yes, you will have to have boot.initrd.luks.devices.<name>.keyFile set to the name of your key file. I don’t remember if NixOS falls back to a password input if that keyFile doesn’t exist (for the case where you’re booting without this mechanism), but if it doesn’t you’ll have to figure something out for that.
1 Like