On Thu, May 09, 2013 at 06:04:51PM +0100, Alasdair G Kergon wrote:
> How are you ensuring the passphrase is securely handled and no remnants
> of it remain in memory or on disk?
I hope that it is ok to quote your question in a public way and carries
no personal detail even though you sent it privately.
This is actually two questions.
Q: How to ensure that the pass phrase does not end up on a disk?
A: The /run I am proposing to use for this is mounted by the initramfs
before mounting /. It cannot be backed by a disk (unless you have
very crazy scripts). It is later moved to the actual /run.
Q: How to ensure that the pass phrase does not remain in memory?
A1: You don't. You need the key in memory to decrypt the data anyway.
A2: My current approach does not handle the case of the pass phrase not
being used, but that could be solved by adding another script to
init-bottom to clean up. This actually appears like a sensible
improvement. Thanks!
Helmut
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
