[dm-crypt] question on available userspace authentication methods

Arno Wagner arno at wagner.name
Fri Sep 2 13:53:11 CEST 2011

On Fri, Sep 02, 2011 at 11:32:03AM +0200, Yves-Alexis Perez wrote:
> On ven., 2011-09-02 at 09:29 +0200, marcin kowalski wrote:
> > Are there any other authenticaton methods one could use?
> You just need a keyscript which will output the key on stdout and pipe
> it to cryptsetup.
> I'm not exactly sure if there are security implications there (like if
> the key could be somewhere on memory not protected or something like
> that).

Not really. If you are root, you can query the key anyways,
see FAQ item "How do I recover the master key from a mapped 
LUKS container?". This is not a surprise or design defect.
As root can access the whole memory (via /proc/kcore) the
key cannot be hidden anyways. 

As to the key staying in memory from the piping, as far as 
I know that does not happen. I could be wrong though. 

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list