[pkg-cryptsetup-devel] Bug#707591: cryptsetup: speed up initramfs by reading the passphrase early
Helmut Grohne
helmut at subdivi.de
Thu May 9 21:57:18 UTC 2013
On Thu, May 09, 2013 at 06:04:51PM +0100, Alasdair G Kergon wrote:
> How are you ensuring the passphrase is securely handled and no remnants
> of it remain in memory or on disk?
I hope that it is ok to quote your question in a public way and carries
no personal detail even though you sent it privately.
This is actually two questions.
Q: How to ensure that the pass phrase does not end up on a disk?
A: The /run I am proposing to use for this is mounted by the initramfs
before mounting /. It cannot be backed by a disk (unless you have
very crazy scripts). It is later moved to the actual /run.
Q: How to ensure that the pass phrase does not remain in memory?
A1: You don't. You need the key in memory to decrypt the data anyway.
A2: My current approach does not handle the case of the pass phrase not
being used, but that could be solved by adding another script to
init-bottom to clean up. This actually appears like a sensible
improvement. Thanks!
Helmut
More information about the pkg-cryptsetup-devel
mailing list