Please Consider Increasing SECMEM_BUFFER_SIZE To 1048576
Guilhem Moulin
guilhem at fripost.org
Thu Oct 19 18:28:42 CEST 2017
On Thu, 19 Oct 2017 at 17:37:20 +0200, Werner Koch wrote:
> On Fri, 13 Oct 2017 19:42, dkg at fifthhorseman.net said:
>> particular, on GNU/Linux systems with cryptsetup, that means something
>> like:
>
> Thanks for that short howto. Is there a reason why it is not done by
> default in Debian? Can we expect it in Buster?
I read this list (and perhaps so does my co-maintainer), but the Debian
BTS would be a better place to discuss this :-P Ephemeral keys are
unlikely to be the default because it prevents hibernation; but I agree
that a d-i option would be nice.
Moreover while using /dev/random might lead to entropy starvation at
initramfs stage (especially on headless server), /dev/urandom is not an
option currently since the PRNG isn't seeded early enough. AFAIK the
linux kernel doesn't expose a source device interfacing with its RNG and
having the Right™ semantics (like /dev/urandom but blocking if there is
not enough entropy), but once we have a libc exporting getrandom(2) I
intend to write a trivial keyscript emulating that behavior. That is,
unless cryptsetup upstream can be convinced to add a ‘--key-random’ flag
doing the same thing (also in my TODO list).
--
Guilhem, from the cryptsetup maintenance team.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20171019/0868a4ae/attachment.sig>
More information about the Gnupg-devel
mailing list