Am Sun, 6 Nov 2011 07:36:30 +0800 schrieb Tom Gundersen <teg@jklm.no>:
On Sat, Nov 5, 2011 at 5:29 PM, Thomas Bächler <thomas@archlinux.org> wrote:
Am 05.11.2011 10:05, schrieb Tom Gundersen:
My issue is with allowing passwords to be written "inline", as well as the fact that we intepret the file as bash rather than plaintext.
When automatically opening volumes, you are not supposed to use passphrases, but keyfiles.
Yeah, I think I'll add a warning when a passphrase is used. Having looked through it, that should take care of most of my gripes.
Having passphrases in an unencrypted text file on the harddisk like /etc/crypttab is certainly not the best method. But only offering key files is insufficient. The currently existing methods of storing and entering passphrases or key files must be kept. That implies entering passphrases with the keyboard, storing/reading key files on/from USB sticks and storing/reading keys raw on/from USB sticks with dd must still be possible for every LUKS container. And what's currently missing in /etc/rc.sysinit is a fallback to asking for a passphrase if a key can't be read, e.g. because it has been forgotten to plug in the USB stick. This should be added, too, as it is done in the encrypt hook. I admit I have forgotten to implement it when I've written the rc.sysinit patches for reading the keys from the USB stick. I found it out only recently, and would have written a patch for it in the coming days if you wouldn't want to completely rewrite this cryptsetup system. Tell me, if I shall write this patch anyway. Heiko