Please Consider Increasing SECMEM_BUFFER_SIZE To 1048576

Guilhem Moulin guilhem at
Thu Oct 19 18:28:42 CEST 2017

On Thu, 19 Oct 2017 at 17:37:20 +0200, Werner Koch wrote:
> On Fri, 13 Oct 2017 19:42, dkg at said:
>> particular, on GNU/Linux systems with cryptsetup, that means something
>> like:
> Thanks for that short howto.  Is there a reason why it is not done by
> default in Debian?  Can we expect it in Buster?

I read this list (and perhaps so does my co-maintainer), but the Debian
BTS would be a better place to discuss this :-P  Ephemeral keys are
unlikely to be the default because it prevents hibernation; but I agree
that a d-i option would be nice.

Moreover while using /dev/random might lead to entropy starvation at
initramfs stage (especially on headless server), /dev/urandom is not an
option currently since the PRNG isn't seeded early enough.  AFAIK the
linux kernel doesn't expose a source device interfacing with its RNG and
having the Right™ semantics (like /dev/urandom but blocking if there is
not enough entropy), but once we have a libc exporting getrandom(2) I
intend to write a trivial keyscript emulating that behavior.  That is,
unless cryptsetup upstream can be convinced to add a ‘--key-random’ flag
doing the same thing (also in my TODO list).

Guilhem, from the cryptsetup maintenance team.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list