[pkg-cryptsetup-devel] Bug#707591: cryptsetup: speed up initramfs by reading the passphrase early

Helmut Grohne helmut at subdivi.de
Thu May 9 21:57:18 UTC 2013


On Thu, May 09, 2013 at 06:04:51PM +0100, Alasdair G Kergon wrote:
> How are you ensuring the passphrase is securely handled and no remnants 
> of it remain in memory or on disk?

I hope that it is ok to quote your question in a public way and carries
no personal detail even though you sent it privately.

This is actually two questions.

Q: How to ensure that the pass phrase does not end up on a disk?

A: The /run I am proposing to use for this is mounted by the initramfs
   before mounting /. It cannot be backed by a disk (unless you have
   very crazy scripts). It is later moved to the actual /run.

Q: How to ensure that the pass phrase does not remain in memory?

A1: You don't. You need the key in memory to decrypt the data anyway.
A2: My current approach does not handle the case of the pass phrase not
    being used, but that could be solved by adding another script to
    init-bottom to clean up. This actually appears like a sensible
    improvement. Thanks!

Helmut



More information about the pkg-cryptsetup-devel mailing list