[dm-crypt] Remote unlock security

David Jacquet jacquet.david at gmail.com
Tue Dec 21 10:27:33 CET 2010


Hi,

thanks for clears answers. Some thoughts: first of all it is great that the
"secret"
string is not written temporarily to a disc, that was my primary concern.
Therefore I think
that the added insecurity in this case comes from the computer being stored
remotely,
not unlocked remotely. I don't see why the computer couldn't be tampered (by
hardware
or software methods) with even if it was unlock by classic means: human on
site
entering secret key.

As for the method passfifo itself, I do not exactly know what is happening.
I am running
Ubuntu server 10.04, and there is some partly binary, partly text, script
file called

 /lib/cryptsetup/askpass

which I _guess_ is constructed for the sole purpose of remote ssh unlock,
but I am having
difficulties getting any documentation on this file. With the Ubuntu Plymoth
startup it seems
non trivial actually getting this to work (there are some bug on this on
launchpad), but I wanted
to find out the security issues before trying the actual solution.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20101221/fdcfdb82/attachment.html>


More information about the dm-crypt mailing list