I forgot an important piece of information: UMASK should be changed to 0077 to ensure that regular users can't access the keys.
-8<------------------------------------------------------------------>8- diff --git a/debian/README.initramfs b/debian/README.initramfs index ce7e01a..85f8828 100644 --- a/debian/README.initramfs +++ b/debian/README.initramfs @@ -239,6 +239,10 @@ following to initramfs.conf to add them to the initrd. KEYFILE_PATTERN="/etc/keys/*.key" export KEYFILE_PATTERN + UMASK=0077 + +(If the initramfs image is to contain private key material, you'll want +create it with a restrictive umask.) -- David Härdeman <da...@hardeman.nu> -- Jonas Meurer <m...@debian.org> Thu, 01 Nov 2012 13:44:31 +0100 -8<------------------------------------------------------------------>8- -- Guilhem
signature.asc
Description: PGP signature
