[pkg-cryptsetup-devel] Bug#786578: Bug#786578: cryptsetup: crypt asks passphrase instead of using keyfile
Jonas Meurer
jonas at freesources.org
Wed Dec 9 22:28:51 UTC 2015
Am 09.12.2015 um 19:58 schrieb Guilhem Moulin:
> I forgot an important piece of information: UMASK should be changed to
> 0077 to ensure that regular users can't access the keys.
Sounds reasonable. I added it the the SVN repository for now. But am I
correct that setting the UMASK in initramfs.conf will have an impact on
all files that are added to the initramfs? This might lead to unwanted
side effects.
Why not set the key file permissions directly while copying it to the
initramfs in cryptroot hook?
Cheers
jonas
>
> -8<------------------------------------------------------------------>8-
> diff --git a/debian/README.initramfs b/debian/README.initramfs
> index ce7e01a..85f8828 100644
> --- a/debian/README.initramfs
> +++ b/debian/README.initramfs
> @@ -239,6 +239,10 @@ following to initramfs.conf to add them to the initrd.
>
> KEYFILE_PATTERN="/etc/keys/*.key"
> export KEYFILE_PATTERN
> + UMASK=0077
> +
> +(If the initramfs image is to contain private key material, you'll want
> +create it with a restrictive umask.)
>
> -- David Härdeman <david at hardeman.nu>
> -- Jonas Meurer <mejo at debian.org> Thu, 01 Nov 2012 13:44:31 +0100
> -8<------------------------------------------------------------------>8-
>
>
>
> _______________________________________________
> pkg-cryptsetup-devel mailing list
> pkg-cryptsetup-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cryptsetup-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151209/18c6bac9/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list