From 10c6df2e3c2b9d208071447bcd76e4e28e4e12dc Mon Sep 17 00:00:00 2001
From: edef <edef@edef.eu>
Date: Wed, 5 Jul 2017 14:21:49 +0200
Subject: [PATCH] =?UTF-8?q?nixos/=E2=80=A6/swap.nix:=20don't=20create=20a?=
 =?UTF-8?q?=20LUKS=20header=20for=20randomEncryption?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Creating and then erasing the key relies on the disk erasing data
correctly, and otherwise allows attackers to simply decrypt swap just
using "secretkey". We don't actually need a LUKS header, so we can save
ourselves some pointless disk writes and identifiability.

In addition, I wouldn't have made the awful mistake of backing up my swap partition's LUKS header instead of my zpool's. May my data rest in peace.
---
 nixos/modules/config/swap.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix
index e57ed2565a1..5d47b09ded9 100644
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -149,9 +149,7 @@ in
                   fi
                 ''}
                 ${optionalString sw.randomEncryption ''
-                  echo "secretkey" | cryptsetup luksFormat --batch-mode ${sw.device}
-                  echo "secretkey" | cryptsetup luksOpen ${sw.device} ${sw.deviceName}
-                  cryptsetup luksErase --batch-mode ${sw.device}
+                  cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom
                   mkswap ${sw.realDevice}
                 ''}
               '';