[Pkg-cryptsetup-devel] Re: Bug#371135: encrypted swap with variable
key fails
Michael Gebetsroither
gebi at sbox.tugraz.at
Wed Jun 21 00:35:45 UTC 2006
Quoting Jonas Meurer <jonas at freesources.org>:
> first, LUKS devices with random key are possible, you just need to store
> the random key after luksFormat, to reuse it for luksOpen. afterwards
> you can shred/wipe the key.
What about letting the user initialise the swap partition with
luksformat and insert the partition AND the uuid of the just created
luks partition into /etc/cryptdisks (could also be done with a little
wrapper script)
we add a command to regenerate the master key to cryptsetup binary,
without updating the uuid and we could safely run mkswap on the
encrypted device.
And there is NO chance to kill the wrong device with mkswap.
And all this without any additional checks.
It could also be done without regenerating the masterkey and only
adding a userkey and deleting the old.
BUT the swap is still encrypted with the _same_ key (as the user keys
only decrypts the masterkey).
Imho without regernerating the masterkey this is a nogo.
greets,
Michael Gebetsroither
More information about the Pkg-cryptsetup-devel
mailing list