|I have heard that there is a security concern with self-decrypting LUKS volumes where the key is stored in the initrd image in plain text. Can anyone describe how one would actually find/view the key in initrd files, with or without making comparisons to an existing key file?
|I'm trying to assess the actual security impact of this method.
|if the key is stored in plain text then anyone can boot a live-USB and read the key then decrypt the disk - hence this offers no real benefit from what I can tell (initrd files can be easily decompressed and the contents read out)
|amurray: Yes, but how do you actually do this with the initrd files? My attempts so far at decompressing and pulling the plain-text contents have so far failed to show anything meaningful.
|ShellcatZero1: if the keys are in the intrd then the /boot/ file-system also needs to be encrypted and unlocked by the boot-loader, else anyone can extract the files from the initrd.img with unmkinitramfs
|ok, thanks TJ-
|ShellcatZero1: eg: https://paste.ubuntu.com/p/22ymwDN7mJ/ - so if you had a file in the initrd called say /boot/key then someone could read it as easily as I read out /etc/passwd from the initrd there
|ShellcatZero1: I have encrypted /boot/ within in which the initrd.img sits; key is "cryptroot/keyfiles/LUKS_VG.key"
|TJ-: In your scenario, you are manually providing a password to unlock /boot/ then right?
|ShellcatZero1: well, 'something' is yes, doesn't have to be manual
|ShellcatZero1: e.g. in one scenario (encrypted /boot/ on a headless router) the router can load GRUB via PXE on a dedicated link and unlock automatically
|TJ-: Do you have any documentation you can share regarding that setup for encrypted /boot/?
|ShellcatZero1: I wrote this, the detail is in there https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
|=== tomreyn_ is now known as tomreyn