On 7/7/19 10:29 AM, Arnt Karlsen wrote:
>
> ..5.3.8. Calamares installer leaves disk encryption keys readable:
> https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#calamares-creates-readable-key
>
Is this referring to the use of a keyfile in the initrd? Or is this the
case in all encrypted debian-based systems, whether /boot is part of the
encrypted volume or not?
Bug report says:
"It installs an encryption key in the initramfs, the problem is
that in Debian, the initramfs is world readable by default, which
means that a user on an unlocked system could retrieve the unlock
key."
/etc/cryptsetup-initramfs/conf-hook says:
# KEYFILE_PATTERN: ...
#
# The value of this variable is interpreted as a shell pattern.
# Matching key files from the crypttab(5) are included in the initramfs
# image. The associated devices can then be unlocked without manual
# intervention. (For instance if /etc/crypttab lists two key files
# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
# to add them to the initrd.)
Thanks to anyone who can shed some light on this.
fsmithred