[pkg-cryptsetup-devel] Bug#850756: cryptsetup: Please save password to kernel keyring

[Christoph Anton Mitterer]

On Tue, 2017-01-10 at 10:26 +0100, Laurent Bigonville wrote:
> Well we need this to be integrated in cryptsetup if we want this to
> work.
Especially in the security-relevant context it's IMO always
questionable whether everything should work automagically out-of-the-
box.


> Do you have any specific concerns about enabling this automatically?
> Anything in mind that might break?
Basically three:

- From what you wrote it wasn't clear to me, whether the auto-login
  would happen per default, i.e. without the sysadmin (and not just a
  user) enabling it, or not.
  Many people (especially on not-just-single-user-desktop) may likely
  not want such auto-login.

- Security-wise it's particularly bad to made such sensitive material
  as the key accessible to such a big piece of software-bloat.
  Looking at gdm3 it has quite an amount of direct and indirect
  dependencies including such which seem to communicate with the
  internet (e.g. gdm3 built on top of gnome shell, which uses gnome-
  online-accounts.
  Such crucial things as the dm-crypt keys/passphrase should IMO be
  used with as little as possible code.

- The whole "utopia" code has shown at least once that it may have
  tremendous security flaws, I vaguely remember some hole in some of
  devicekit/udisk/polkit, which lead to exporting the dm-crypt keys to
  ever user (may be #576687, which I recall here... or something else).


Instead of unconditionally adding the key to the keyring, why not just
including a keyscript in the package, which allows users to do just
that?
Maybe one can combine this with the already existing decrypt_keyctl.


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20170110/27fe2f09/attachment.bin>