[arch-projects] [initscripts] next release

Heiko Baums lists at baums-on-web.de
Sat Nov 5 20:18:43 EDT 2011


Am Sun, 6 Nov 2011 07:36:30 +0800
schrieb Tom Gundersen <teg at jklm.no>:

> On Sat, Nov 5, 2011 at 5:29 PM, Thomas Bächler <thomas at archlinux.org>
> wrote:
> > Am 05.11.2011 10:05, schrieb Tom Gundersen:
> >
> >> My issue is with allowing passwords to be written "inline", as
> >> well as the fact that we intepret the file as bash rather than
> >> plaintext.
> >
> > When automatically opening volumes, you are not supposed to use
> > passphrases, but keyfiles.
> 
> Yeah, I think I'll add a warning when a passphrase is used. Having
> looked through it, that should take care of most of my gripes.

Having passphrases in an unencrypted text file on the harddisk
like /etc/crypttab is certainly not the best method. But only offering
key files is insufficient. The currently existing methods of
storing and entering passphrases or key files must be kept.

That implies entering passphrases with the keyboard, storing/reading key
files on/from USB sticks and storing/reading keys raw on/from USB sticks
with dd must still be possible for every LUKS container.

And what's currently missing in /etc/rc.sysinit is a fallback to asking
for a passphrase if a key can't be read, e.g. because it has been
forgotten to plug in the USB stick. This should be added, too, as it
is done in the encrypt hook.

I admit I have forgotten to implement it when I've written the
rc.sysinit patches for reading the keys from the USB stick. I found it
out only recently, and would have written a patch for it in the coming
days if you wouldn't want to completely rewrite this cryptsetup system.

Tell me, if I shall write this patch anyway.

Heiko


More information about the arch-projects mailing list