[02:18] I have heard that there is a security concern with self-decrypting LUKS volumes where the key is stored in the initrd image in plain text. Can anyone describe how one would actually find/view the key in initrd files, with or without making comparisons to an existing key file? [02:20] I'm trying to assess the actual security impact of this method. [02:38] if the key is stored in plain text then anyone can boot a live-USB and read the key then decrypt the disk - hence this offers no real benefit from what I can tell (initrd files can be easily decompressed and the contents read out) [07:49] amurray: Yes, but how do you actually do this with the initrd files? My attempts so far at decompressing and pulling the plain-text contents have so far failed to show anything meaningful. [07:52] ShellcatZero1: if the keys are in the intrd then the /boot/ file-system also needs to be encrypted and unlocked by the boot-loader, else anyone can extract the files from the initrd.img with unmkinitramfs [08:01] ok, thanks TJ- [08:03] ShellcatZero1: eg: https://paste.ubuntu.com/p/22ymwDN7mJ/ - so if you had a file in the initrd called say /boot/key then someone could read it as easily as I read out /etc/passwd from the initrd there [08:05] ShellcatZero1: I have encrypted /boot/ within in which the initrd.img sits; key is "cryptroot/keyfiles/LUKS_VG.key" [08:09] TJ-: In your scenario, you are manually providing a password to unlock /boot/ then right? [08:10] ShellcatZero1: well, 'something' is yes, doesn't have to be manual [08:11] ShellcatZero1: e.g. in one scenario (encrypted /boot/ on a headless router) the router can load GRUB via PXE on a dedicated link and unlock automatically [08:13] ok [09:18] TJ-: Do you have any documentation you can share regarding that setup for encrypted /boot/? [09:20] ShellcatZero1: I wrote this, the detail is in there https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 [09:22] Ah, thanks! === tomreyn_ is now known as tomreyn