Impact

Users who installed NixOS through the graphical calamares installer, with an unencrypted /boot, on either:

• non-UEFI systems
• with a LUKS partition different from /

have their LUKS key file in /boot as a plaintext CPIO archive attached to their NixOS initrd.

nixos-install is not affected.

Am I affected?

Run nix-shell -p binwalk --run "binwalk /boot/EFI/nixos/*.efi | grep -i cpio | grep -i crypto_keyfile.bin" on an EFI system, if you have a match, you are likely to be vulnerable.

Patches

The problem has been patched in this unreleased commit vlinkz@837ca4d.

We plan to release a new extension for 0.3.13 and backport it to NixOS 22.11, 23.05 and unstable channels.

Workarounds

This is reserved for expert users who have a copy of their data, we will provide a remediation tool shortly.

To remediate this vulnerability by yourself:

1. Reboot with a NixOS live environment you trust.
2. Mount your rootfs and all relevant LUKS devices using the crypto_keyfile.bin, you can achieve by doing binwalk $initrd -D cpio:.bin on an initrd containing this "secret", you will obtain a folder containing all the data of CPIO archives, otherwise, you can look for the append-initrd-secrets Bash script in your Nix store which shows how to copy this information
3. Confirm you have a backup of your valuable data before moving on.
4. Unmount everything and proceed to a re-encryption procedure:
5. cryptsetup reencrypt $affected_partition
6. Remount your partition and confirm that crypto_keyfile.bin is not able to unlock your LUKS partition anymore
7. Remount your whole NixOS system
8. Remove any mention of boot.initrd.secrets."crypto_keyfile.bin" in your NixOS configuration.
9. Perform a nixos-rebuild boot while staying in that live environment via nixos-enter or anything you prefer
10. Reboot, you should have a rotated key for all your affected LUKS partitions now

References

Initial report: linuxboot/heads#1348