My notes on making encrypted filesystems 'Just Work(tm)'
david at fubar.dk
Wed Dec 15 10:42:05 PST 2004
On Wed, 2004-12-15 at 09:34 -0600, W. Michael Petullo wrote:
> Placing the passphrase in an environment variable is not a safe means
> either. Reading a passphrase from stdin is probably best. Another
> solution I have seen is providing an environment variable that names a
> file to read the passphrase from.
As long as the key is stored in the kernel memory you're screwed. The
only really safe means to do this is to use external devices (such as a
smartcards) that you offload the crypto to (e.g. host never sees the
key). That's how it works in most MPEG2 based digital tv systems and
> > (NOTE: 1. hald shall only allow console user to do this
> > 2. requires new features in hald to callout a program specified
> > in e.g. the /etc/hal/methods.d/Crypto/Sesame/Setup file)
> How does this /etc/hal/methods.d interface work? I can't find any
> documentation about it. I've found a few mentions of a methods.d
> directory but no documentation about how it is wired to hald.
It's not done yet is one answer. It will appear in the 0.5.x series;
until then you will need invoke your binaries manually or through other
hal mailing list
hal at lists.freedesktop.org
More information about the Hal