~tomleb/hinitramfs

Hackweek 2023 project

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~tomleb/hinitramfs
read/write
git@git.sr.ht:~tomleb/hinitramfs

You can also use your local clone with git send-email.

#Hinitramfs

This is a project where himitsu meets the initramfs, hence hinitramfs. It allows the user to unlock its encrypted disk, autologin as a user and unlock its password manager with a single prompt.

Note that this is meant to work on Alpine Linux only for now.

I have worked on this as part of Hack Week 23, you can find the project listing here.

#How it works

My custom mkinitfs fork adds a new kernel parameter cryptprompt that allow to run a binary in the initramfs to prompt for the key to unlock the encrypted disk. For example, cryptprompt=/sbin/hinitramfs-prompt. The prompt can be anything, it just needs to write a valid luks passphrase to fd 3.

I have developed hinitramfs-prompt as a prompt for cryptprompt. It asks for a user name (which can be verified in /etc/hinitramfs/) as well as the passphrase for a himitsu secure store located at /etc/hinitramfs/<user id>-<user name>/. This secure store holds entries: each entry has a luks! private key and a device key (eg: /dev/sda3).

With this information, hinitramfs-prompt does the following:

  1. Adds the passphrase to a new keyring. This new keyring is created with privileges such that the user can access it upon autologin.
  2. Performs a query to the secure store luks! device=<device> and writes the value of the luks! key to fd 3.

The latter works in tandem with hinitramfs-cryptsetup which is used to initialize the secure stores in /etc/hinitramfs/, as well as manage LUKS key slots.

Finally, there is hinitramfs-autologin that is used to automatically login a user that has successfully unlocked its secure store. /etc/inittab needs to be configured to run this binary as described in TTY Autologin.

I have also the following himitsu fork to allow getting the passphrase from a user keyring (which is populated by hinitramfs-prompt). So users should have something like the following in their user services:

himitsud -k "$(keyctl search %:hackweek user key)"

The storage looks like this:

Storage diagram for hinitramfs

The communication between nlplug-findfs and hinitramfs-prompt looks like this. It is a simple line based protocol. (TODO: Add retries)

nlplug-findfs protocol

#Dependencies

More to come here but at least these various forks:

#How to test

TODO

#Future improvements

  • I think the cryptprompt parameter is generic enough that more prompts could be developed. In fact, we could have our prompt be a prompt selector that allow the user to login via different means.

  • Error handling is not great currently.

  • Allow a few retries in hinitramfs-prompt.

  • Use only a single key slot for all users instead of one per user.

  • More work on hinitramfs-cryptsetup for better UX.

  • Store either the user's store key OR another passphrase instead of re-using the same passphrase.

#Credits

The general idea was mentioned in the #himitsu channel on libera.chat (IRC). Some work that inspired this was hboot.