[pkg-cryptsetup-devel] Bug#969286: Bug#969286: cryptsetup-suspend: Make it possible to exclude key from initramfs
Guilhem Moulin
guilhem at debian.org
Sun Aug 30 22:51:07 BST 2020
Control: severity -1 wishlist
Hi Birger,
On Sun, 30 Aug 2020 at 19:24:43 +0000, Birger Schacht wrote:
> This defeats the purpose of cryptsetup-suspend (at list in my threat
> model ;) ) - maybe there can be an option to *not* include the key in
> the initramdisk in the case of cryptsetup-suspend and it is only
> possible to unlock on resume using a password?
It's unclear to me what the best course of action is. An option to
remove key material from the initramfs would need to be treated with
care, because the document you linked to also suggests to use key-slot=
which would also need to be removed (or the same passphrase be used).
For now I guess we can just document that this is not a supported threat
model.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20200830/e7823da5/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list