Control: severity -1 wishlist Hi Birger,
On Sun, 30 Aug 2020 at 19:24:43 +0000, Birger Schacht wrote: > This defeats the purpose of cryptsetup-suspend (at list in my threat > model ;) ) - maybe there can be an option to *not* include the key in > the initramdisk in the case of cryptsetup-suspend and it is only > possible to unlock on resume using a password? It's unclear to me what the best course of action is. An option to remove key material from the initramfs would need to be treated with care, because the document you linked to also suggests to use key-slot= which would also need to be removed (or the same passphrase be used). For now I guess we can just document that this is not a supported threat model. Cheers, -- Guilhem.
signature.asc
Description: PGP signature
