[02:18] <ShellcatZero1> I have heard that there is a security concern with self-decrypting LUKS volumes where the key is stored in the initrd image in plain text. Can anyone describe how one would actually find/view the key in initrd files, with or without making comparisons to an existing key file?
[02:20] <ShellcatZero1> I'm trying to assess the actual security impact of this method.
[02:38] <amurray> if the key is stored in plain text then anyone can boot a live-USB and read the key then decrypt the disk - hence this offers no real benefit from what I can tell (initrd files can be easily decompressed and the contents read out)
[07:49] <ShellcatZero1> amurray: Yes, but how do you actually do this with the initrd files? My attempts so far at decompressing and pulling the plain-text contents have so far failed to show anything meaningful.
[07:52] <TJ-> ShellcatZero1: if the keys are in the intrd then the /boot/ file-system also needs to be encrypted and unlocked by the boot-loader, else anyone can extract the files from the initrd.img with unmkinitramfs
[08:01] <ShellcatZero1> ok, thanks TJ- 
[08:03] <amurray> ShellcatZero1: eg: https://paste.ubuntu.com/p/22ymwDN7mJ/ - so if you had a file in the initrd called say /boot/key then someone could read it as easily as I read out /etc/passwd from the initrd there
[08:05] <TJ-> ShellcatZero1: I have encrypted /boot/ within in which the initrd.img sits; key is "cryptroot/keyfiles/LUKS_VG.key" 
[08:09] <ShellcatZero1> TJ-: In your scenario, you are manually providing a password to unlock /boot/ then right?
[08:10] <TJ-> ShellcatZero1: well, 'something' is yes, doesn't have to be manual
[08:11] <TJ-> ShellcatZero1: e.g. in one scenario (encrypted /boot/ on a headless router) the router can load GRUB via PXE on a dedicated link and unlock automatically
[08:13] <ShellcatZero1> ok
[09:18] <ShellcatZero1> TJ-: Do you have any documentation you can share regarding that setup for encrypted /boot/?
[09:20] <TJ-> ShellcatZero1: I wrote this, the detail is in there https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
[09:22] <ShellcatZero1> Ah, thanks!