[dm-crypt] question on available userspace authentication methods
arno at wagner.name
Fri Sep 2 13:53:11 CEST 2011
On Fri, Sep 02, 2011 at 11:32:03AM +0200, Yves-Alexis Perez wrote:
> On ven., 2011-09-02 at 09:29 +0200, marcin kowalski wrote:
> > Are there any other authenticaton methods one could use?
> You just need a keyscript which will output the key on stdout and pipe
> it to cryptsetup.
> I'm not exactly sure if there are security implications there (like if
> the key could be somewhere on memory not protected or something like
Not really. If you are root, you can query the key anyways,
see FAQ item "How do I recover the master key from a mapped
LUKS container?". This is not a surprise or design defect.
As root can access the whole memory (via /proc/kcore) the
key cannot be hidden anyways.
As to the key staying in memory from the piping, as far as
I know that does not happen. I could be wrong though.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt