[pkg-cryptsetup-devel] Bug#786578: cryptsetup: crypt asks passphrase instead of using keyfile
Guilhem Moulin
guilhem at guilhem.org
Wed Dec 9 18:58:32 UTC 2015
I forgot an important piece of information: UMASK should be changed to
0077 to ensure that regular users can't access the keys.
-8<------------------------------------------------------------------>8-
diff --git a/debian/README.initramfs b/debian/README.initramfs
index ce7e01a..85f8828 100644
--- a/debian/README.initramfs
+++ b/debian/README.initramfs
@@ -239,6 +239,10 @@ following to initramfs.conf to add them to the initrd.
KEYFILE_PATTERN="/etc/keys/*.key"
export KEYFILE_PATTERN
+ UMASK=0077
+
+(If the initramfs image is to contain private key material, you'll want
+create it with a restrictive umask.)
-- David Härdeman <david at hardeman.nu>
-- Jonas Meurer <mejo at debian.org> Thu, 01 Nov 2012 13:44:31 +0100
-8<------------------------------------------------------------------>8-
--
Guilhem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151209/f054390b/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list