-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Sep 18, 2008 at 04:55:35AM +0200, Jan Reusch wrote: > hi there > > Arno Wagner schrieb: > > On Wed, Sep 17, 2008 at 04:29:36PM -0500, Clayton Shepard wrote: > >> It sounds like it may be more effective, and much less code, to write > a well > >> scripted front end that manages and automates the creation and opening of > >> multiple LUKS devices at once. > > > > I agree. In addition this can be done by anybody competent, as it does > > not need insights into the LUKS implementation. > at this point you have to be very careful. > one reason christophe initially switched vom a scripted cryptsetup to > a c implementation was that he could reliably erase the memory region > the password was stored in. That is where the "competent" comes in. Ordinary programming skills are not enough, an understanding of security is needed. However, quite frankly, the cipher set-up is the kernel memory anyways, and said "competents" can use it to decryopt a LUKS partition. AFAIK, nothing in kernel memory is protected from root. Still a good idea to do, as a non-overwritten key/passphrase can stay in memory a long time after an encrypted partition has been umounted. > some time ago there was a request to implement this behavior into > cryptsetup, it shouldn't be to hard to split the parameters and place > the while() into the right area. wuld require a different input mode though. Maybe a file/stdinput that lists a set of PGP/GnuPG protected keyfiles and the associated partitions? Arno - -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F - ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI0oQ5eX9rUB4lM48RAt9/AKCWIWS+7NZOt7ihxpBnCOYnFRNonwCaAtfG kNVzK90UmiQGHddqrYE2NPQ= =NRHm -----END PGP SIGNATURE----- --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
