:: Re: [DNG] ..so Debian is Busting po…
Top Page
Delete this message
Reply to this message
Author: fsmithred
Date:  
To: dng
Subject: Re: [DNG] ..so Debian is Busting postgresql, evolution-ews inboxes and history itself?, was: Runit service depend another script not daemon
On 7/7/19 10:29 AM, Arnt Karlsen wrote:

>
> ..5.3.8. Calamares installer leaves disk encryption keys readable:
> https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#calamares-creates-readable-key
>


Is this referring to the use of a keyfile in the initrd? Or is this the
case in all encrypted debian-based systems, whether /boot is part of the
encrypted volume or not?


Bug report says:

"It installs an encryption key in the initramfs, the problem is
that in Debian, the initramfs is world readable by default, which
means that a user on an unlocked system could retrieve the unlock
key."


/etc/cryptsetup-initramfs/conf-hook says:

# KEYFILE_PATTERN: ...
#
# The value of this variable is interpreted as a shell pattern.
# Matching key files from the crypttab(5) are included in the initramfs
# image. The associated devices can then be unlocked without manual
# intervention. (For instance if /etc/crypttab lists two key files
# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key"
# to add them to the initrd.)


Thanks to anyone who can shed some light on this.

fsmithred