On Thu, May 09, 2013 at 06:04:51PM +0100, Alasdair G Kergon wrote: > How are you ensuring the passphrase is securely handled and no remnants > of it remain in memory or on disk?
I hope that it is ok to quote your question in a public way and carries no personal detail even though you sent it privately. This is actually two questions. Q: How to ensure that the pass phrase does not end up on a disk? A: The /run I am proposing to use for this is mounted by the initramfs before mounting /. It cannot be backed by a disk (unless you have very crazy scripts). It is later moved to the actual /run. Q: How to ensure that the pass phrase does not remain in memory? A1: You don't. You need the key in memory to decrypt the data anyway. A2: My current approach does not handle the case of the pass phrase not being used, but that could be solved by adding another script to init-bottom to clean up. This actually appears like a sensible improvement. Thanks! Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org