| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Apr 2018 02:11:06 +0200 From: Hansjoerg Lipp <hjlipp@....de> To: Oleksandr Natalenko <oleksandr@...alenko.name> Cc: linux-kernel@...r.kernel.org Subject: Re: [RFC] Passing luks passphrase from grub to systemd Hello Oleksandr. Am 16.04.2018 um 00:25 schrieb Oleksandr Natalenko: >> as I'm stuck with a (non-EFI x86_64) system with encrypted root >> partition, I have to enter the passphrase twice (grub needs it for >> getting the kernel etc., systemd needs it for mounting the root >> partition). This can be quite inconvenient, especially if the passphrase >> is long and contains special characters, and grub assumes a different >> keyboard layout. > > Just fill another LUKS slot with a randomly generated key file and add that > file to your initramfs (which already resides on encrypted /boot, right?). If > your distro cannot do that, you should probably fixing things there, not > adding ugly hacks to the kernel. Yes, I never considered this proof of concept code as a good solution (I don't want to get it into the kernel!), it was meant as a starting point for discussing whether there is need for some mechanism to get data like this from the boot loader to the init process, and if so, how to do it right (and it was actually fun to learn a bit about all this). I'm thankful for your hint how I could solve my personal luks problem in a clean way (although it somehow does not feel right to have a key file accessible to probable malware while the machine is running; of course a paranoid thought of me...). Kind regards and thanks again Hansjoerg
Powered by blists - more mailing lists