Source: cryptsetup-nuke-password Version: 4+nmu1 Severity: wishlist
Hey. I think the description should add some important details: *If* a sufficently advanced 3-letter-government organisation would seize someone’s computer, it's rather unlikely that the idea of wiping the master keys with a special passphrase would work out, since copies of the medium containing the plain dm-crypt / LUKS would likely have been made (quite likely, even unknown to the user... maybe while he wasn’t at home). Instead, unlocking would then not only give proof, that the user actually has access to the encrypted volume (which may already be enouhg to disappear at some black site ;-) )... but also give "them" a key (keylogger), which "they" could then use to open the device, simply from some other system, not booting into the one that contains the "nuke" code, and just have access to the data. I think right now, people may quite easily get a sense of wrong security, while they'd acutally make things worse (by giving out a key). Cheers, Chris. -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.6.11-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_DIE Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
