My notes on making encrypted filesystems 'Just Work(tm)'
David Zeuthen
david at fubar.dk
Wed Dec 15 10:42:05 PST 2004
On Wed, 2004-12-15 at 09:34 -0600, W. Michael Petullo wrote:
> Placing the passphrase in an environment variable is not a safe means
> either. Reading a passphrase from stdin is probably best. Another
> solution I have seen is providing an environment variable that names a
> file to read the passphrase from.
>
As long as the key is stored in the kernel memory you're screwed. The
only really safe means to do this is to use external devices (such as a
smartcards) that you offload the crypto to (e.g. host never sees the
key). That's how it works in most MPEG2 based digital tv systems and
set-top boxes.
> > (NOTE: 1. hald shall only allow console user to do this
> > 2. requires new features in hald to callout a program specified
> > in e.g. the /etc/hal/methods.d/Crypto/Sesame/Setup file)
>
> How does this /etc/hal/methods.d interface work? I can't find any
> documentation about it. I've found a few mentions of a methods.d
> directory but no documentation about how it is wired to hald.
>
It's not done yet is one answer. It will appear in the 0.5.x series;
until then you will need invoke your binaries manually or through other
means.
Cheers,
David
_______________________________________________
hal mailing list
hal at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/hal
More information about the Hal
mailing list