You are not logged in.
- Topics: Active | Unanswered
#1 2025-11-09 13:27:01
- SeagullFish
- Member
- Registered: 2023-08-10
- Posts: 64
Proper file type categorization of keyfiles for storage encryption?
Hello.
I refer to this article:
https://github.com/lnussel/lnussel.gith … slayout.md
I am not trying to start a debate about the author's opinions, nor to draw any conclusions about them. However, I realize that the author may have a few points regarding how the file system hierarchy in Linux was originally intended to be used. The author has devided file types into a few different categories:
- Configuration files (Mainly referring to /etc)
- Data files (Mainly referring to /var and /home)
- Boot files (Mainly referring to /boot, and possibly /efi if present)
- Operating system files (Mainly referring to /usr + some other locations)
- Memory/Virtual storage (Mainly referring to /proc, /sys, /dev, etc.)
My question:
What kind of file type should keyfiles for storage encryption be categorized as? Implicitly, where should they be stored?
The information that I have found on my own this far:
Quote from section 7.5.2 at the Arch Linux Wiki site for dm-crypt/Device encryption:
If using the sd-encrypt hook instead, the keyfile is specified with the rd.luks.key= kernel parameter: in the case of initramfs, the syntax is /path/to/keyfile. The default is /etc/cryptsetup-keys.d/name.key (where name is the dm_name used for decryption in #Encrypting devices with cryptsetup) and rd.luks.key can be omitted if initramfs contains a valid key with this path. See dm-crypt/System configuration#rd.luks.key.
Quote from section 1.2.4.3 at the Arch Linux Wiki site for dm-crypt/System configuration:
Specify the location of a password file used to decrypt the device specified by its UUID. There is no default location like there is with the encrypt hook parameter cryptkey.
[...]
The whole rd.luks.key parameter can be omitted if the keyfile is included as /etc/cryptsetup-keys.d/name.key.
So, according to these quotes, there is no strict requirement for a fixed storage location for key files, but it is mentioned that /etc/cryptsetup-keys.d/ is the default location. Thus, one might get the impression that key files should be considered configuration files. But are they really configuration files? AFAIK, they do not contain any parameters that are editable for a human system administrator.
Now, what kind of (stupid) question is this? Does the storage location even matter??
Well, the author of the mentioned article points out that:
With the introduction of BTRFS, the operating system gained the ability to take snapshots and roll back the system in case of troublesome updates. So it was required to define what should be part of a snapshot and what not. User documents for example must not be rolled back. Furthermore, databases can't really be snapshotted nor rolled back by the OS as the structure is application-specific and follows its own transaction mechanism. The usual configuration files in /etc need to be rolled back though, as some are tied to the software version installed.
This leads me to think of: If configuration files inside /etc may be rolled back, is it then wise to store keyfiles inside that directory? If for some reason, a rollback were to result in keyfiles being altered/overwritten/deleted/etc, it could have catastrophic consequences. I assume that this issue also applies to other backup strategies, and not only those based on BTRFS.
Edit1: Wrong section number in reference to quote. Changed from 7.5.1 to 7.5.2.
Edit2: Removed formatting, as requested by cryptearth.
Last edited by SeagullFish (2025-11-09 19:31:08)
Offline
#2 2025-11-09 17:31:40
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,828
Re: Proper file type categorization of keyfiles for storage encryption?
Quote from section 7.5.1 at the Arch Linux Wiki site for dm-crypt/Device encryption:
Arch Linux Wiki wrote:If using the sd-encrypt hook instead, the keyfile is specified with the rd.luks.key= kernel parameter: in the case of initramfs, the syntax is /path/to/keyfile. The default is /etc/cryptsetup-keys.d/name.key (where name is the dm_name used for decryption in #Encrypting devices with cryptsetup) and rd.luks.key can be omitted if initramfs contains a valid key with this path. See dm-crypt/System configuration#rd.luks.key.
where EXACTLY did you get this from? because I wasn't able to find that anywhere in the wiki at all
but as a general question: yes, key-files are usually stored somewhere in /etc
ps: the formating is a bit annoying
Offline
#3 2025-11-09 18:21:39
- SeagullFish
- Member
- Registered: 2023-08-10
- Posts: 64
Re: Proper file type categorization of keyfiles for storage encryption?
SeagullFish wrote:Quote from section 7.5.1 at the Arch Linux Wiki site for dm-crypt/Device encryption:
where EXACTLY did you get this from? because I wasn't able to find that anywhere in the wiki at all
Sorry, my bad. I wrote the wrong section number. Anyway, the quoted text is taken from the very bottom lines of that wiki-page. You have to scroll all the way down to the end.
ps: the formating is a bit annoying
Are you referring to the yellow markings, or the headings, or something else? (Sorry, I am working on learning how to use this forum properly.)
Edit: Removed formatting, as requested by cryptearth.
Last edited by SeagullFish (2025-11-09 19:32:19)
Offline
#4 2025-11-09 19:18:56
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,828
Re: Proper file type categorization of keyfiles for storage encryption?
well - fiddlesticks - i copied the first part to search for it - but "sd-encrypt" is special formatted on the wiki and chromium seem to not be able to find it when you search for the string "If using the sd-encrypt hook instead" because it doesn't handle the different formatting properly - today i learned
as for formatting: just don't - even the coloration of the quote (btw: if you re-quote you should avoid editing what was original quoted - that's common for pretty much any help either forum or mailing list) is irritating as the color change disrupts the workflow
Offline
#5 2025-11-09 19:42:25
- SeagullFish
- Member
- Registered: 2023-08-10
- Posts: 64
Re: Proper file type categorization of keyfiles for storage encryption?
as for formatting: just don't - even the coloration of the quote (btw: if you re-quote you should avoid editing what was original quoted - that's common for pretty much any help either forum or mailing list) is irritating as the color change disrupts the workflow
Note taken. I have removed all formatting, except for quotes and URLs. (But I wonder, though, why so much BBCode is available if it's not supposed to be used...)
Offline
#6 2025-11-10 12:12:11
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,485
Re: Proper file type categorization of keyfiles for storage encryption?
Those are the default options for this version of the forum software.
They can all be used but some are annoying (or worse) for forum users .
Especially the bright yellow of [ ins ] [ /ins] is known to hurt eyes for many people.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline