Hello Milan, thanks a lot, that helps. > it is quite easy with dmsetup, but unlike LUKS, there is not a way how > you can check that reinstated key is correct (you can resume target with different > key and cause severe data corruption - that's why we do not support it in cryptsetup). Ok, I can understand that problem. I will fix it in my script with a compare to SHA-256(key) that I will store on the ramdisk. Only if the key matches the script will continue. > Note that in future we will optionally support activation through kernel keyring, > so you will put key there, not to dmsetup. That sounds interesting, but I'm not sure if it will help. I try to kill the erase the key before I suspend on ram so that cold boot attack don't work here. If its in the kernel keyring It should be still possible to find it in the memory. Or have I misread that keyring conzept? -- cheers wof _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
