Support kexec reboot with automatic FDE decryption

Do you think it’s possible to have automatic reboot somehow using kexec for decrypting FDE? It would be a really useful NixOS feature in server environments.

It’s certainly possible, though I’m not sure how you would do it. You would have to somehow acquire the necessary key, add it to a temporary initrd that’s otherwise the same as your normal one, and use kexec with that initrd instead of your normal one. LUKS makes it possible to extract the real master key from the kernel, but e.g. ZFS doesn’t make this possible for its encryption implementation. You could either ask the user for the necessary keys when they invoke kexec, or store them somewhere safe so they’re always accessible as long as the disk is already decrypted.

So this could be a script which does something like this:

  1. asks for the key (stdin or file path)
  2. appends the key to /nix/var/nix/profiles/system/initrd and stores resulting initrd in temporary directory
  3. loads initrd from temporary directory via kexec
  4. removes initrd file
  5. does kexec

The most non-trivial parts seems to be:

  1. In step №2 initrd would need to be decompressed, modified to include the key (by appending a new cpio archive to the end? or is initrd needs to be extracted first?) and then recompressed again (is it even necessary for kexec?).
  2. There’s also should be some script in boot.initrd.postDeviceCommands which would read integrated key and do something with it.

Actually initrd can be a concatenated sequence of compressed cpio images, so no need to decompress and modify the original image; just make a totally separate image with what you need and append it. But yes, you will have to have boot.initrd.luks.devices.<name>.keyFile set to the name of your key file. I don’t remember if NixOS falls back to a password input if that keyFile doesn’t exist (for the case where you’re booting without this mechanism), but if it doesn’t you’ll have to figure something out for that.

1 Like
Hosted by Flying Circus.