Using pinentry-curses interactively in Linux boot process fails (SOLVED)

Heinz Diehl htd at
Sat Jul 24 08:48:48 CEST 2010

On 23.07.2010, Grant Olson wrote: 

> Just keep in mind that if you're not encrypting the whole disk, your
> sensitive data can leak to /tmp and swap.  I'm only bringing this up
> because it seems like you've taken some elaborate steps to protect your
> data.

I second that. 

Besides, holding a GPG encrypted keyfile on unencrypted space to open a
LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot
process by entering the correct passphrase, to finally open the
LUKS/dmcrypt secured device seems broken to me. Why not just use the same
secure passphrase for the LUKS keyslot directly, instead of using a keyfile?

Seems a little bit like "security by obscurity" to me..

(Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt
in the last 2 years, if you need to customize your system in such a way
that is not possible to achieve with the opensuse installer, feel free to
drop me a note)

More information about the Gnupg-users mailing list