Hi guys,
I've been following this discussion for a few days. And I feel like giving my opinion... :-)
On 16 January 2014 09:50, Ondrej Kozina <okozina@xxxxxxxxxx> wrote:
On 01/15/2014 09:27 PM, Milan Broz wrote:In that case, let me join you with my humble Sigh as well.
On 01/14/2014 05:30 AM, Arno Wagner wrote:
I think that in your scenario, "nuke" does not have any real
advantages over just not having the passphrase, and that one
is dangerous.
Well, this idea is not new and I responded very similar months ago.
http://code.google.com/p/cryptsetup/issues/detail?id=110#c1
But seems there is a lot of people in disagreement.
I was quite surprised that most of people from
our university security&crypto lab I met today and asked
(to have some other opinions) said that despite "nuke password"
has very limited use it is worth to have something like that...
Sigh... :)
Yes, I also tend to agree with Arno's arguments and I feel that there is no real (non-dangerous) use case for this.
But what I really want to avoid is that every distribution will
add some random patches implementing something like this.
It is perhaps better to implement and document this upstream.
I would argue that it's really independent from any actual crypto logic. The only thing that need's to be done is wrap the password/key prompt and check the password against a known salted hash or PBKDF (same as all Linux distros do). Then "nuking" the container is actually quite simple. Just erase the LUKS header by zeroing it. This is not any more complex than what distros already have to do to support root-on-LUKS.
Actually this functionality is simple enough that anyone actually wanting it can just write their own password prompt wrapper script.
I would point out that this doesn't require any more information from LUKS internals than mouting a block device from /etc/crypttab would. And so it's entirely possible to keep the code layered and simple. KISS applies.
Moreover, I think it's wrong to assume that distros don't share any of their code. Proof is, they fork each other. It wouldn't have to be implemented a dozen times.
Ok, I just think that this new feature is quite heavily disputed already. This is perhaps third discussion I found on that topic in a few minutes of searching. Please, make "nuke password" option configurable so that it can be easily removed from any distribution that wouldn't agree with arguments for including it.
Best regards
Ondra
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
Just my .02$,
--
Thomas Bastiani
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
