Using pinentry-curses interactively in Linux boot process fails (SOLVED)
Heinz Diehl
htd at fritha.org
Sat Jul 24 08:48:48 CEST 2010
On 23.07.2010, Grant Olson wrote:
> Just keep in mind that if you're not encrypting the whole disk, your
> sensitive data can leak to /tmp and swap. I'm only bringing this up
> because it seems like you've taken some elaborate steps to protect your
> data.
I second that.
Besides, holding a GPG encrypted keyfile on unencrypted space to open a
LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot
process by entering the correct passphrase, to finally open the
LUKS/dmcrypt secured device seems broken to me. Why not just use the same
secure passphrase for the LUKS keyslot directly, instead of using a keyfile?
Seems a little bit like "security by obscurity" to me..
(Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt
in the last 2 years, if you need to customize your system in such a way
that is not possible to achieve with the opensuse installer, feel free to
drop me a note)
More information about the Gnupg-users
mailing list