ShellcatZero1I have heard that there is a security concern with self-decrypting LUKS volumes where the key is stored in the initrd image in plain text. Can anyone describe how one would actually find/view the key in initrd files, with or without making comparisons to an existing key file?02:18
ShellcatZero1I'm trying to assess the actual security impact of this method.02:20
amurrayif the key is stored in plain text then anyone can boot a live-USB and read the key then decrypt the disk - hence this offers no real benefit from what I can tell (initrd files can be easily decompressed and the contents read out)02:38
ShellcatZero1amurray: Yes, but how do you actually do this with the initrd files? My attempts so far at decompressing and pulling the plain-text contents have so far failed to show anything meaningful.07:49
TJ-ShellcatZero1: if the keys are in the intrd then the /boot/ file-system also needs to be encrypted and unlocked by the boot-loader, else anyone can extract the files from the initrd.img with unmkinitramfs07:52
ShellcatZero1ok, thanks TJ- 08:01
amurrayShellcatZero1: eg: https://paste.ubuntu.com/p/22ymwDN7mJ/ - so if you had a file in the initrd called say /boot/key then someone could read it as easily as I read out /etc/passwd from the initrd there08:03
TJ-ShellcatZero1: I have encrypted /boot/ within in which the initrd.img sits; key is "cryptroot/keyfiles/LUKS_VG.key" 08:05
ShellcatZero1TJ-: In your scenario, you are manually providing a password to unlock /boot/ then right?08:09
TJ-ShellcatZero1: well, 'something' is yes, doesn't have to be manual08:10
TJ-ShellcatZero1: e.g. in one scenario (encrypted /boot/ on a headless router) the router can load GRUB via PXE on a dedicated link and unlock automatically08:11
ShellcatZero1TJ-: Do you have any documentation you can share regarding that setup for encrypted /boot/?09:18
TJ-ShellcatZero1: I wrote this, the detail is in there https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_201909:20
ShellcatZero1Ah, thanks!09:22
=== tomreyn_ is now known as tomreyn

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!