[dm-crypt] Using a removable-device-recorded passphrase to decrypt a system
arno at wagner.name
Sat Jun 27 01:06:00 CEST 2015
On Fri, Jun 26, 2015 at 15:53:01 CEST, Sven Eschenberg wrote:
> On Fri, June 26, 2015 15:19, Arno Wagner wrote:
> > - I have no idea whether locked memory can end up in a
> > core-dump, but usually these are disabled anyways.
> There certainly is a debug option to get coredumps including locked pages,
> I presume.
I would expect so as well. But debugging is not a concern IMO,
unless it is too easy to leace on accidentally.
> > - In-kernel keys are protected against leaking to disk.
> Again, I presume, since I did not check the kernel's source, that the
> relevant kernel pages are marked as unswappable. I guess when you dump the
> kernel for debugging you'll get the locked pages aswell - Doesn't make to
> much sense if all locked pages are missing from the dump.
> > The thing is, system encryption is not easy to do and conceptually
> > does not help a lot. If it was necessary to prevent having
> > passphrases/keys to disk, that would be a major security flaw
> > in the handling of said passphrases/keys and it would affect
> > other things as well, like GnuPG, OpenSSL, etc. and so I hope
> > somebody would have complained by now if that was a real issue.
> It is quite difficult to i.e. encrypt /etc (which might include
> passphrases for services or something) by it's own, so doing a system
> encryption is quite tempting. Otherwhise you'll have to relocate specific
> files from /etc to other places and maintain a pile of config changes,
> which can be quite an effort aswell.
Well, yes. It is a trade-off that depends on the specific situation
and distribution. Personally, I avoid putting credentials into /etc,
but I do have some in my home, mostly ssh-keys allowing passwordless
I do realize this will not always be possible.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt