Package: cryptsetup-suspend Version: 2:2.3.3-3+exp1 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, when having /boot on an encrypted root partition and adding a key to a second key slot (as described in [0]) cryptsetup-suspend uses this key to unlock the volume on resume. This defeats the purpose of cryptsetup-suspend (at list in my threat model ;) ) - maybe there can be an option to *not* include the key in the initramdisk in the case of cryptsetup-suspend and it is only possible to unlock on resume using a password? cheers, Birger [0] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#avoiding-the-extra-password-prompt -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages cryptsetup-suspend depends on: ii cryptsetup-initramfs 2:2.3.3-1 ii libc6 2.31-3 ii libcryptsetup12 2:2.3.3-1+b1 ii systemd 246-2 cryptsetup-suspend recommends no packages. cryptsetup-suspend suggests no packages. -- no debconf information
