Bug 1137056

Summary: Automatically add a custom generated key to initrd when installing to LVM/LUKS
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Shchadilov <alexander.shchadilov>
Component: InstallationAssignee: E-mail List <yast2-maintainers>
Status: RESOLVED NORESPONSE QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: aschnell, jsrain, nwr10cst-oslnx, security-team, snwint
Version: Leap 15.1   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Shchadilov 2019-06-01 20:02:54 UTC 
If an encrypted system partition is configured during installation openSUSE puts /boot inside of it. While this scheme has certain advantages from the security side of things, it also brings an inconvenience of entering LUKS password twice. This inconvenience can be circumvented through adding a custom key that is used by system to access encrypted partitions; thus GRUB becomes the only software that asks for password.

openSUSE wiki:
https://en.opensuse.org/SDB:Encrypted_root_file_system
http://web.archive.org/web/20190601195245/https://en.opensuse.org/SDB:Encrypted_root_file_system

Arch wiki:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)
http://web.archive.org/web/20190522050457/https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

So it is a feature request for an automated procedure during OS install. There are no security drawbacks AFAIK.
Comment 1 Andreas Stieger 2019-06-02 16:02:59 UTC 
This has been frequently requested. But please be aware that the security drawback is that in the running system, the keyfile would be readable in plain from /boot. Not a good idea.

The better solution is the implementation in grub that allows it to pass the passphrase to the booted system without it appearing in plain in the kernel command line or the logs.

This request should be closed.
Comment 2 Neil Rickert 2019-06-02 16:12:00 UTC 
I am opposed to this, as a security risk.

Yes, the "initrd" file is normally only readable by root.  However, if I install Xen support, then the "initrd" is copied into the EFI partition where it is more easily readable by anyone.
Comment 3 Arvin Schnell 2019-06-02 21:32:05 UTC 
(In reply to Andreas Stieger from comment #1)

> [...] But please be aware that the security drawback is that in the
> running system, the keyfile would be readable in plain from /boot.

Is that any worse than being able to use the --showkeys option of dmsetup?
Comment 4 Steffen Winterfeldt 2019-06-03 09:39:42 UTC 
I confess I use a setup similar to the proposed myself. The usability of the current default setup is less than optimal, to put it mildly. And that's not
even counting the grub behavior on entering a wrong password.

If there's any intention to encourage people to use encryption this seems
counterproductive to me.

I haven't seen any convincing argument as to why storing the password in an
encrypted initrd is a security risk. As Arvin pointed out root can access
the LUKS decryption keys anyway. And unless you have special crypto hardware
that's by design.

We've had fate#320901 open for the better part of 3 years without anything
coming of it. Which is really a sad state.

If anything we should at least give the user the *choice* to go for a
user-friendly setup like the proposed.

That the initrd gets inadvertently copied to a nonencrypted partition is indeed
a risk and we should help the admin to prevent this, if possible.
Comment 5 Steffen Winterfeldt 2019-06-03 09:42:06 UTC 
In any case this needs some strategic decisions and someone driving this.

Jiri?
Comment 6 Andreas Stieger 2019-06-03 09:59:08 UTC 
Security team should look at the proposal.
Comment 7 Jiri Srain 2019-06-03 11:06:27 UTC 
There is another option: Have /boot outside the encrypted volume as a separate partition. Then you need to enter the password only once. However, if you want to use snapper, then you kernel/initrd cannot be snapshotted.

What I wanted to point out: It is not possible to put the key there unconditionally even if we accept the risk.


In any case: The installer should not implement this request before it gets blessing from the security team. If the design is evaluated as not bringing any additional not acceptable risk, then IMO any approach that improves the usability will be welcome (by myself too).

Security team is in NEEDINFO, let them evaluate this idea.
Comment 8 Lukas Ocilka 2019-06-03 11:08:01 UTC 
This actually needs JIRA entry and everyone involved to design and discuss it there (please).
Comment 9 Andreas Stieger 2019-06-03 12:49:13 UTC 
(In reply to Lukas Ocilka from comment #8)
> This actually needs JIRA entry and everyone involved to design and discuss
> it there (please).

That is SUSE internal, so no involvement of the community required on this I guess.
Comment 10 Lukas Ocilka 2019-06-03 13:52:27 UTC 
The request at the end will need to go through JIRA. Gathering opinions 
should stay here.
Comment 11 Stefan Hundhammer 2019-11-25 11:55:54 UTC 
No response for 5 months. Closing.
Comment 12 Alexander Shchadilov 2020-02-03 10:14:14 UTC 
For anyone interested: I submitted Andreas Stieger's suggestion from
https://bugzilla.suse.com/show_bug.cgi?id=1137056#c1
to GRUB bug tracker: https://savannah.gnu.org/bugs/?57678