On Fri, Dec 12, 2014 at 17:23:20 CET, Ahmed, Safayet (GE Global Research) wrote: > > Is there a way to setup an encrypted partition with keys from the kernel > key ring? The key-ring services support special keys called encrypted > keys. These keys never exist outside kernel memory in an un-encrypted > state. These encrypted keys are encrypted with other keys in the kernel > keyring: user keys and trusted keys. Trusted keys are keys protected by a > TPM SRK. > > http://lxr.free-electrons.com/source/Documentation/security/keys-trusted-encrypted.txt > > This would be something different from TPM-LUKS which protects keys in the > TPM NVRAM. A possible advantage of using encrypted keys from the kernel > key ring is that the key(s) used by dm-crypt never have to be exposed to > user space in an unencrypted state. Currently, user space can see the > encryption key of a dm-crypt partition in plain text by using the > following command: > > dmsetup table --showkeys <device name> > > I am not entirely sure if that is an issue. It is not. The Unix protection model assumes root is trusted and can do anyting. Root can dump kernel memory as well. Trying to put in a protection method here that is not in line with the Unix protection model is not going to help much. > Lastly, I just want to mention that trusted keys and encrypted keys are > already used for ecryptfs: > > http://lxr.free-electrons.com/source/Documentation/security/keys-ecryptfs.txt I would be very surprised if root could not get the ecryptfs keys. Gr"usse, Arno > Thanks, > > Safayet > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
