On Thu, Dec 01, 2016 at 07:27:52AM -0800, mariogeck...@gmail.com wrote:
> In my opinion this feature would be a good idea to be implemented.
> [...]
> https://github.com/dracutdevs/dracut/pull/80

I have something similar working with my Heads bootloader -- it unseals
and decrypts the keys with either the TPM or a GPG card and inserts
them into the initrd for the Qubes dom0, but am hesitant about the
smartcard support since this expands the attack surface of the early
runtime environment to have USB device drivers loaded.

Something that I would really like to figure out how to make work is to
have the S3 resume script retrieve keys from the TPM or GPG card so that
the kernel can dump the disk keys before going to sleep.

-- 
Trammell

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20161201154101.GA12784%40chishio.swcp.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to