Update cast
Update README
Update README
This is a project where himitsu meets the initramfs, hence hinitramfs. It allows the user to unlock its encrypted disk, autologin as a user and unlock its password manager with a single prompt.
Note that this is meant to work on Alpine Linux only for now.
I have worked on this as part of Hack Week 23, you can find the project listing here.
My custom mkinitfs fork adds a new kernel parameter cryptprompt
that allow
to run a binary in the initramfs to prompt for the key to unlock the encrypted
disk. For example, cryptprompt=/sbin/hinitramfs-prompt
. The prompt can be
anything, it just needs to write a valid luks passphrase to fd 3.
I have developed hinitramfs-prompt as a prompt for cryptprompt
. It asks for
a user name (which can be verified in /etc/hinitramfs/
) as well as the
passphrase for a himitsu secure store located at /etc/hinitramfs/<user id>-<user name>/
. This secure store holds entries: each entry has a luks!
private key and a device
key (eg: /dev/sda3
).
With this information, hinitramfs-prompt does the following:
luks! device=<device>
and writes the
value of the luks!
key to fd 3.The latter works in tandem with hinitramfs-cryptsetup which is used to
initialize the secure stores in /etc/hinitramfs/
, as well as manage LUKS
key slots.
Finally, there is hinitramfs-autologin that is used to automatically login a
user that has successfully unlocked its secure store. /etc/inittab
needs to be
configured to run this binary as described in TTY Autologin.
I have also the following himitsu fork to allow getting the passphrase from a user keyring (which is populated by hinitramfs-prompt). So users should have something like the following in their user services:
himitsud -k "$(keyctl search %:hackweek user key)"
The storage looks like this:
The communication between nlplug-findfs and hinitramfs-prompt looks like this. It is a simple line based protocol. (TODO: Add retries)
More to come here but at least these various forks:
TODO
I think the cryptprompt
parameter is generic enough that more prompts could be
developed. In fact, we could have our prompt be a prompt selector that allow the
user to login via different means.
Error handling is not great currently.
Allow a few retries in hinitramfs-prompt.
Use only a single key slot for all users instead of one per user.
More work on hinitramfs-cryptsetup
for better UX.
Store either the user's store key OR another passphrase instead of re-using the same passphrase.
The general idea was mentioned in the #himitsu
channel on libera.chat (IRC).
Some work that inspired this was hboot.