Add passphrase_file to mount options

[donmor]

Based on #241 .

Add passphrase_file to mount options. Can be specified in -o or /etc/fstab, making it possible to mount encrypted bcachefs partitions as root.

Kept -f, --passphrase-file for compatibility.

Also include a patch to bcachefs.8.

[koverstreet]

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

[donmor]

So what's the usecase for this passphrase_file stuff?

I know the existing unlock tool isn't working reliably and we need to do something about that, but I need to hear more about how this is being used to know if this is what we want to do.

We can use encrypted bcachefs partition as root (by puttinng a key file as well as fstab with this option in initrd, tested with dracut).

[onny]

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

[tasleson]

I'm also looking for this option to automatically decrypt external harddrives on my homeserver, otherwise some workaround is needed like https://oz123.github.io/writings/2024-03-25-Decrypting-bcachefs-volumes-at-boot/index.html

The homeserver itself is also encrypted so the keyfiles for external files are only readable and used at runtime

I think stratis has 2 options for unattended decryption.

1. Network Bound Drive Encryption (NBDE) which requires a Tang server
2. Bind the storage to the Trusted Platform Module (TPM 2.0)

I don' know much about these 2 options and what pros/cons they have or ultimately how secure they are.

Are you only concerned with someone taking an external drive and not the entire server and external drives?
I think it might be helpful for you to elaborate on what your goals are. I'm having a hard time understanding the value of encrypting your data when the key is sitting in the initrd etc.

[RAOF]

I think stratis has 2 options for unattended decryption.

1. Network Bound Drive Encryption (NBDE) which requires a Tang server

2. Bind the storage to the Trusted Platform Module (TPM 2.0)

My understanding of the threat model for (2) is:

• You're measuring boot state into the TPM, so EFI guarantees that the kernel, initramfs, and kernel command line¹ are known, trusted, and required to unlock the filesystem
• You trust the base system to require password authentication

Given those, the major difference between TPM and requiring a passphrase to unlock is that TPM exposes you to physical attacks against the running machine (intercepting the bus between the TPM and CPU, moving RAM to a second machine while preserving state via LN cooling, etc)

¹: No init=/bin/sh!

[donmor]

#266 Recreated this patch since cmd_mount.rs is renamed, causing conflicts.