#403 [grub] Patch grub if needed to allow supplying keyfile

Open
opened 2 years ago by swiftgeek · 2 comments

http://grub.johnlane.ie/

0002-Cryptomount-support-key-files.patch

https://github.com/johnlane/grub

grub.cfg will need to be adjusted to take advantage of keyfile on pendrive (filename should be configurable, uuid of pendrive probably too)

http://grub.johnlane.ie/ 0002-Cryptomount-support-key-files.patch https://github.com/johnlane/grub grub.cfg will need to be adjusted to take advantage of keyfile on pendrive (filename should be configurable, uuid of pendrive probably too)
Andrew Robbins commented 2 years ago
Collaborator

This shouldn't be much trouble. I can get this done soon.

This shouldn't be much trouble. I can get this done soon.
Swift Geek commented 2 years ago
Collaborator

One possibility to enable keyfile + passphrase would be to encrypt pendrive with keyfile, and unlock it with password.

This way there is no need to write extra code to support proper keyfile format

grub.cfg would look for pendrive of some particular label (LibreKey*? Random string?), cryptomount it, and use keyfile to mount HDD with FDE. If pendrive label is not found fall back to password unlock.

 * probably LibreKey to make sure that people who care about it not being easily identifiable change it in the config. Together with offset for passphrase to hide it inside other file like some JPEG or something (polyglot/funky file format files)

https://media.ccc.de/v/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini#t=261

perhaps grub.cfg could be stored on pendrive as well to make it harder to identify file hiding passphrase? ie. it would export few variables and reload grub.cfg from flash using include (this might not change anything, just make it harder to create pendrive). If implemented, it needs to be signed.

One possibility to enable keyfile + passphrase would be to encrypt pendrive with keyfile, and unlock it with password. This way there is no need to write extra code to support proper keyfile format grub.cfg would look for pendrive of some particular label (LibreKey*? Random string?), cryptomount it, and use keyfile to mount HDD with FDE. If pendrive label is not found fall back to password unlock.  * probably LibreKey to make sure that people who care about it not being easily identifiable change it in the config. Together with offset for passphrase to hide it inside other file like some JPEG or something (polyglot/funky file format files) https://media.ccc.de/v/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini#t=261 perhaps grub.cfg could be stored on pendrive as well to make it harder to identify file hiding passphrase? ie. it would export few variables and reload grub.cfg from flash using include (this might not change anything, just make it harder to create pendrive). If implemented, it needs to be signed.
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.