Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" <a.fat...@pengutronix.de> >> But using LUKS would mean that cryptsetup has access to the plain disc >> encryption key material? >> This would be a no-go for many systems out there, key material must not >> accessible to userspace. >> I know, distrusting userspace root is not easy, but doable. :) > > The LUKS2 format supports tokens. I see no reason why the encrypted blob > couldn't be stored there along with the usual metadata. cryptsetup would > then load it as kernel trusted key and use it for dmcrypt decryption. > > This will mean we have to part ways with features such as having multiple > keys, but I think it's worth it to have a plug and play solution for > trusted keys.
Ah, now I can follow your thoughts! Yes, that would be nice to have. :) I kind of assumed you want to use LUKS with passphrases and CAAM blobs. Thanks, //richard