Alasdair G Kergon wrote: > On Mon, Sep 04, 2006 at 01:22:30PM +0200, Rick van Rein wrote: > >> I was shocked to learn that the encryption keys for dm-crypt volumes are >> visible to root: >> > > >> # dmsetup table swap >> 0 1975932 crypt aes-cbc-plain 3132333435363738313233343536373831323334353637383132333435363738 0 3:6 0 >> > > I have made a concession in cvs. The keys are still available, but now > get masked out by default. > > # dmsetup table swap > 0 1975932 crypt aes-cbc-plain 0000000000000000000000000000000000000000000000000000000000000000 0 3:6 0 > > # dmsetup table --showkeys swap > 0 1975932 crypt aes-cbc-plain 3132333435363738313233343536373831323334353637383132333435363738 0 3:6 0 > > This will be in version 1.02.13 onwards, and saves having to post-process > the output of dmsetup table if you don't want the keys. > > Alasdair > Hi, I would like to have some precision : I notice that # dmsetup table mapper would only return correct information if the mapper was opened (cryptsetup luksopen...) So can you pls confirm that your assumption, that root can see the encryption keys only right if the mapper was opened. And thus, that anyone, that gets his hand on the device cannot so easilly get the encryption key as long as he did not opened the mapper succesfully, by typing the code in or cracking it. thanks chris --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
