ShellcatZero1 | I have heard that there is a security concern with self-decrypting LUKS volumes where the key is stored in the initrd image in plain text. Can anyone describe how one would actually find/view the key in initrd files, with or without making comparisons to an existing key file? | 02:18 |
---|---|---|
ShellcatZero1 | I'm trying to assess the actual security impact of this method. | 02:20 |
amurray | if the key is stored in plain text then anyone can boot a live-USB and read the key then decrypt the disk - hence this offers no real benefit from what I can tell (initrd files can be easily decompressed and the contents read out) | 02:38 |
ShellcatZero1 | amurray: Yes, but how do you actually do this with the initrd files? My attempts so far at decompressing and pulling the plain-text contents have so far failed to show anything meaningful. | 07:49 |
TJ- | ShellcatZero1: if the keys are in the intrd then the /boot/ file-system also needs to be encrypted and unlocked by the boot-loader, else anyone can extract the files from the initrd.img with unmkinitramfs | 07:52 |
ShellcatZero1 | ok, thanks TJ- | 08:01 |
amurray | ShellcatZero1: eg: https://paste.ubuntu.com/p/22ymwDN7mJ/ - so if you had a file in the initrd called say /boot/key then someone could read it as easily as I read out /etc/passwd from the initrd there | 08:03 |
TJ- | ShellcatZero1: I have encrypted /boot/ within in which the initrd.img sits; key is "cryptroot/keyfiles/LUKS_VG.key" | 08:05 |
ShellcatZero1 | TJ-: In your scenario, you are manually providing a password to unlock /boot/ then right? | 08:09 |
TJ- | ShellcatZero1: well, 'something' is yes, doesn't have to be manual | 08:10 |
TJ- | ShellcatZero1: e.g. in one scenario (encrypted /boot/ on a headless router) the router can load GRUB via PXE on a dedicated link and unlock automatically | 08:11 |
ShellcatZero1 | ok | 08:13 |
ShellcatZero1 | TJ-: Do you have any documentation you can share regarding that setup for encrypted /boot/? | 09:18 |
TJ- | ShellcatZero1: I wrote this, the detail is in there https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 | 09:20 |
ShellcatZero1 | Ah, thanks! | 09:22 |
=== tomreyn_ is now known as tomreyn |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!