On 3/31/20 5:05 PM, JT Morée wrote:
To make the example and explanation more complete: You can store secret
in unbound keyslot. So technically you may use LUKS2 unbound keyslot as
...
I'm not sure this is most practical use for LUKS2 unbound keyslot,
Regards O.
I'm glad you brought that up because it leads to my next questions about the token feature.
I have a binary blob which is a private key generated from random binary data that is encrypted with a gpg public key into pkcs format. I want to store it in the luks2 header for use with smart card. This seems to be the direction this project is heading and I would like to help (or understand alternatives and help with those).
From the other messages we have on this list and the LUKS2 spec I understand that the token imports json (text) data. If I wanted to store arbitrary binary data it would have to be encoded.
Yes, we encode binary data in base64.
See token examples in misc/luks2_keyslot_example (bad name...let's fix
it already) directory in cryptsetup sources to get a picture.
You _don't_ have to implement token handler if you're interested only in
storing external metadata in json (systemd does it for encrypted
systemd-homed I think, or clevis/tang project).
But if you're interested in automatic unlocking via tokens, I'd
recommend to wait for cryptsetup-2.4.0 RC0 announce. We're working on
adding support for dynamically loadable plugins and that's probably what
you'd want wait for.
Regards O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt