On 10/29/23 22:01, Jonathan Billings wrote:
The point I’m making is that the decryption passphrase should not be accessible to any root level process, be it a user with sudo or a compromised service. This is why you should create a backup passphrase in a different keyslot and store it someplace secure, just in case.
The point here is not about getting the passphrase, it is about getting the real decryption key. Storing the decryption key in a safe place is a lot better than relying on things that can break in many ways (luks header overwritten, broken TPM, new machine, ...). The real decryption key makes the difference between having data or losing them; making all recovery strategies impossible is not a good idea. Regards. -- Roberto Ragusa mail at robertoragusa.it _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
