Restrict permissions on /boot to protect the random seed.

2024-09-13 10:31:44 +01:00
parent 8588d7f09f
commit 4e24ac988f
5 changed files with 7 additions and 1 deletions
--- a/common/encrypted-btrfs-layout.nix
+++ b/common/encrypted-btrfs-layout.nix
@@ -31,6 +31,9 @@ in
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"  # to avoid the random seed being world readable
+                ];
              };
            };
            luksroot = {