Hi, Firstly, thanks to ALL who have given us this excellent software! I currently use dm-crypt with LUKS to protect the data drive on my laptop. I don't use encrypted root. Mostly I keep my business files, backups, personal files and vmware images on it. What I would like to able to do is to have the kernel keystore 'forget' my key when I ask it to without unmounting the drives. The mapped devices could simply block on all I/O from that point on. The rationale is to be able to ditch the key whenever I suspend, lock my X session, or even just when I pull out my smartcard. Any app that times out its I/O might be unhappy with this, but I would be happy to do something like lsof -t /mnt/mtpoint |xargs kill -STOP first (I am the only user, as is often the case in laptops for which disk encryption is primarily designed). Amarok, nautilus, emacs, shells and even VMWare seem fine with this (though I might do 'vmrun suspend' for that one). In this way I truly "take my key with me" when I walk away. I know that kernel buffers etc would be a vulnerability, but a thief couldn't just go spelunking through my crypto mounted drive. And when I walk back to my machine, I type in my key and my work continues uninterrupted. Every little thing helps where security is concerned. Also, when you do a luksClose or remove, is the key in memory zeroed/shredded? thanks again -adam --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
