On Thu, Apr 15, 2010 at 08:24:54AM +0200, Milan Broz wrote: > On 04/15/2010 01:30 AM, Arno Wagner wrote: > > What I do not see in the current cryptsetup though, is an > > option to read the passphrase from stdin, file or named pipe. > > That would be a reasonable extension IMO. > > As mentioned in other mail, it can read passphrase from stdin, > also keyfile is supported. Ah, for some reason I thought this was a raw keyfile. Of course 'keyfile' does not mean keyfile, but file with the passphrase in case of LUKS. And for plain dm-crypt, the passphrase is the (not yet hashed) key. Temporary confusion on my side. > But for these types of applications is better use libcryptsetup, > you can better control which buffer contain passphrase so you can > wipe it. Also locking of memory (avoid to swap out memory > with sensitive data) is better controlled through library then > in some shell script. True, if you want reasonable security. > An example of code snip to open LUKS device is here > http://code.google.com/p/cryptsetup/issues/detail?id=58&can=1#c1 Thanks. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
