On 04/25/2017 06:16 PM, Sven Eschenberg wrote: > > Furthermore, everyone who had access to /dev/mem and was able to locate > the keys knows, them. On second thought, this holds certainly true for > the 'new central kernel key storage' (Forgot the name), depending on the > allover kernel configuration and userspace, that is. > > At the end of the day dm-crypt (etc.) needs to store the key somewhere, > where it can be accessed at all times when an IO-Request comes in. There > is not that many options for that ;-). Crypto API stores the key in memory as well (even the round keys etc), obviously. We have already support for kernel keyring in dm-crypt (so the key will not be directly visible in dmsetup table), this will be supported in next major version of cryptsetup/LUKS. But as you said, if you have access to the kernel memory, it is there anyway... Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
