Re: [PATCH v1 0/3] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ahmad,

----- Ursprüngliche Mail -----
> Von: "Ahmad Fatoum" <a.fatoum@xxxxxxxxxxxxxx>
>> But using LUKS would mean that cryptsetup has access to the plain disc
>> encryption key material?
>> This would be a no-go for many systems out there, key material must not
>> accessible to userspace.
>> I know, distrusting userspace root is not easy, but doable. :)
> 
> The LUKS2 format supports tokens. I see no reason why the encrypted blob
> couldn't be stored there along with the usual metadata. cryptsetup would
> then load it as kernel trusted key and use it for dmcrypt decryption.
> 
> This will mean we have to part ways with features such as having multiple
> keys, but I think it's worth it to have a plug and play solution for
> trusted keys.

Ah, now I can follow your thoughts!
Yes, that would be nice to have. :)

I kind of assumed you want to use LUKS with passphrases and CAAM blobs.

Thanks,
//richard



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux