Re: Empty key files vs empty passwords in plain mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 23/11/2014 15:57, Milan Broz a écrit :
On 11/23/2014 03:01 PM, Quentin Lefebvre wrote:
...
Well, logically it should be the same. But reading empty keyfile never worked AFAIK

Right, and this is just because of a test that returns an error code in
case the key file is empty.

and IMHO the case that you encrypt device by empty keyfile by mistake
is more common...

I agree and I think there should be at least a warning.

Maybe for luksFormat but not for plain case. Otherwise everyone with access
to logs or screen scroll up will see that password is empty.

I have a generic rule that cryptsetup output (even debug log) must not
contain usable information about your password or key.

OK, this makes sense.

I am tempting to say it is a safety feature than bug :-)

Anyway, please create issue on project page, https://code.google.com/p/cryptsetup/issues/list
If you have a patch, attach it there as well.

Sure, I'll do that. But which tool is preferred to write a patch for
cryptsetup?

Whatever is applicable. The best is created with "git format-patch" way
so I can simply apply it to git if it is correct.

There is also repository mirror on github so pull request there will work as well.
(I will just not use github directly because it is not primary repo.)

Thanks for the advice.

At this point, I think I'll try to write a patch that accepts an empty key file, except in the case where --force-password is set (actually I didn't know this parameter).

Best,
Quentin

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt





[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux