[dm-crypt] kernel: CONFIG_KEYS
gmazyland at gmail.com
Sun Nov 26 10:23:03 CET 2017
On 11/26/2017 09:53 AM, Karel wrote:
> in linux kernel, there is this option: CONFIG_KEYS
> "Security options" -> "Enable access key retention support"
> from the description it is not clear to me whether this has any
> relevance to cryptsetup.
> Does cryptsetup use this facility ?
new cryptsetup (version 2) will use kernel keyring (for dm-crypt volume
key and also for activation by so-called token in LUKS2).
But it will be optional, and cryptsetup should still work even without it.
If you are using LUKS version 1 (almost every device today), kernel keyring
is not used.
But keyring can be used for LUKS by some other services
(systemd cache passphrase this way already).
So I would suggest to enable it in your kernel, despite it is not yet necessary
to use in cryptsetup.
More information about the dm-crypt