The example by fossies (here: https://fossies.org/linux/cryptsetup/docs/Keyring.txt ) shows how to create a key bound to the thread keyring: the key is not persistent across sessions. In my model, I am concerned about threats post disposal of the underlying device. I also require unattended startup during the in-use lifetime (e.g. no manual passphrase entry). Finally, I need rapid data destruction (e.g. faster than overwriting the underlying media). One conceivable design is to use LUKS2-encrypted storage with a token linked to a persistent keyring (e.g. persistent across reboots). Data destruction would be cost-effectively achieved by destroying the master-passphrase. I note that there is a kernel feature for persistent keyrings, but such keyrings are not accessible to users (only authorized processes). Is there a way to create a persistent token for this purpose? Question: Can someone provide a line-by-line example of how to unlock a LUKS2 container using a persistent token, if indeed it is possible to do so. An alternative design could be to place a key on removable media (also problematic; see separate post). I would like to understand persistent tokens regardless. Many thanks. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
