Am 09.12.2015 um 19:58 schrieb Guilhem Moulin: > I forgot an important piece of information: UMASK should be changed to > 0077 to ensure that regular users can't access the keys.
Sounds reasonable. I added it the the SVN repository for now. But am I correct that setting the UMASK in initramfs.conf will have an impact on all files that are added to the initramfs? This might lead to unwanted side effects. Why not set the key file permissions directly while copying it to the initramfs in cryptroot hook? Cheers jonas > > -8<------------------------------------------------------------------>8- > diff --git a/debian/README.initramfs b/debian/README.initramfs > index ce7e01a..85f8828 100644 > --- a/debian/README.initramfs > +++ b/debian/README.initramfs > @@ -239,6 +239,10 @@ following to initramfs.conf to add them to the initrd. > > KEYFILE_PATTERN="/etc/keys/*.key" > export KEYFILE_PATTERN > + UMASK=0077 > + > +(If the initramfs image is to contain private key material, you'll want > +create it with a restrictive umask.) > > -- David Härdeman <da...@hardeman.nu> > -- Jonas Meurer <m...@debian.org> Thu, 01 Nov 2012 13:44:31 +0100 > -8<------------------------------------------------------------------>8- > > > > _______________________________________________ > pkg-cryptsetup-devel mailing list > pkg-cryptsetup-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cryptsetup-devel >
signature.asc
Description: OpenPGP digital signature
