luks key file correct permissions

Question

journalctl -b

reads:

systemd-cryptsetup[1807]: Key file /some-path/keys/sda1.luks is world-readable. This is not a good idea!
…
systemd-cryptsetup[1807]: /some-path/keys/sda1.luks has 0644 mode that is too permissive, please adjust the ownership and access mode.

but unfortunately what the correct rights should be in not given explicitly, and I'm having a hard time figuring that out.

On this blog they seem to imply that the correct rights are

chmod -v 0400 /some-path/keys/
chown root:root /some-path/keys/

could somebody please confirm, preferably with authoritative source?

This website reads

Set strict permissions (600 or 400))

but it doesn't say if it is for the folder containing the key, or for the key itself.

Answer 1

You're not going to find specifc advice saying "you should use permission number xxx" because the real advice is based on the Principle of Least Privilege. So your use case will determine the minimum privilege required.

However "world readable" on anything that's supposed to be "secret" is clearly and obviously wrong since not everything on your system needs access to that secret and so the warning is generated to helpfully tell you there's a mistake.

---

TLDR

Use 400 and wait to see if it breaks anything.

---

Applying Principle of Least Privilege to keys

Is the file owner the only OS user that needs access?

If so the number should end in 00 to give no group access. Otherwise set a group to give permission to and end in 40 to give the group read access.

In super rare cases another user might need write access, in which case 60. But that is rare.

Does the owner actually need write access?

Remember the owner can still change the permissions, so this doesn't affect much. But if the owner only needs read access to their own file then it's common to set the first number to 4 to prevent accidental overwrite.

Otherwise write access with 6 is fine.

Execute permission?

Why would you need to "execute" a key? You don't. So don't set any odd number like 7 except on directories.

Answer 2

Newly created files are usually world-readable by default. That's probably the most common mistake to make when it comes to keyfiles. So that's what systemd checks and warns you about.

However, this is only a superficial check.

In the message /some-path/keys/sda1.luks has 0644 mode, it really only cares about the last 4 in 0644 and not much else. It expects it to be 0.

As long as the other/world bit is 0, the file could still be readable by many (e.g. if it's owned by a common users group) and systemd would not warn you about it at all. On the other hand, the keyfile could already be protected by the directory path it's in, and you'd still get the warning, even though effectively, only root can access it.

That's why the warning does not go away if you chown/chmod the directory path /some-path/keys/ only. It totally makes sense to restrict the entire keyfiles directory, but systemd doesn't check the path. It only checks the file itself. So to make systemd's warnings go away, you'll also have to apply it to the file.

So even though you get warned twice (once by systemd-cryptsetup, and once by systemd's generic file reader helper), it's more of a hint. It's up to you to make sure that your permissions are actually working the way they should.