3 
journalctl -b

shows:

systemd-cryptsetup[1807]: Key file /some-path/keys/sda1.luks is world-readable. This is not a good idea! … systemd-cryptsetup[1807]: /some-path/keys/sda1.luks has 0644 mode that is too permissive, please adjust the ownership and access mode.

but unfortunately what the correct rights should be in not given explicitly, and I'm having a hard time figuring that out.

This blog post seems to imply that the correct rights are

chmod -v 0400 /some-path/keys/ chown root:root /some-path/keys/

Could somebody please confirm, preferably with an authoritative source?

This website mentions

Set strict permissions (600 or 400)

but it doesn't say if this is for the folder containing the key, or for the key itself.

Improve this question
3
  • 3
    Not sure about an authoritative source, but the key file needs to be accessed by root but no other account ever has a need for the keys. I would say 0700 for the directory and 0600 for the file. 0755 for the directory should still work as long as the file itself is protected. Ownership of both the directory and the file should be root:root. Commented Oct 9 at 19:04
  • 1
    Related, if not a duplicate - systemd-cryptsetup key file readable warning Commented Oct 9 at 20:10
  • Good catch @ChrisDavies, this is indeed pretty much the same question. Commented Oct 10 at 14:14

2 Answers 2

Reset to default
10

You're not going to find specifc advice saying "you should use permission number xxx" because the real advice is based on the Principle of Least Privilege. So your use case will determine the minimum privilege required.

However "world readable" on anything that's supposed to be "secret" is clearly and obviously wrong since not everything on your system needs access to that secret and so the warning is generated to helpfully tell you there's a mistake.

TLDR

Use 400 and wait to see if it breaks anything.

Applying Principle of Least Privilege to keys

Is the file owner the only OS user that needs access?

If so the number should end in 00 to give no group access. Otherwise set a group to give permission to and end in 40 to give the group read access.

In super rare cases another user might need write access, in which case 60. But that is rare.

Does the owner actually need write access?

Remember the owner can still change the permissions, so this doesn't affect much. But if the owner only needs read access to their own file then it's common to set the first number to 4 to prevent accidental overwrite.

Otherwise write access with 6 is fine.

Execute permission?

Why would you need to "execute" a key? You don't. So don't set any odd number like 7 except on directories.

Improve this answer
0
6

Newly created files are usually world-readable by default. That's probably the most common mistake to make when it comes to keyfiles. So that's what systemd checks and warns you about.

However, this is only a superficial check.

In the message /some-path/keys/sda1.luks has 0644 mode, it really only cares about the last 4 in 0644 and not much else. It expects it to be 0.

As long as the other/world bit is 0, the file could still be readable by many (e.g. if it's owned by a common users group) and systemd would not warn you about it at all. On the other hand, the keyfile could already be protected by the directory path it's in, and you'd still get the warning, even though effectively, only root can access it.

That's why the warning does not go away if you chown/chmod the directory path /some-path/keys/ only. It totally makes sense to restrict the entire keyfiles directory, but systemd doesn't check the path. It only checks the file itself. So to make systemd's warnings go away, you'll also have to apply it to the file.

So even though you get warned twice (once by systemd-cryptsetup, and once by systemd's generic file reader helper), it's more of a hint. It's up to you to make sure that your permissions are actually working the way they should.

Improve this answer
1
  • Thanks a lot, that is super helpful to get this context. Commented Oct 10 at 14:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.