My notes on making encrypted filesystems 'Just Work(tm)'

David Zeuthen david at
Wed Dec 15 14:28:58 PST 2004

On Wed, 2004-12-15 at 16:16 -0600, W. Michael Petullo wrote:
> In my work on pam_mount I realized that many UNIXes allow one to view the
> environment a process is running in by using the "ps" command.  Because
> non-root users can use this technique, passing passphrases using
> environment variables is a bad idea.

Oh yeah. One just gotta love UNIX :-/

> This is why I propose passing these parameters using pipes.  Instead of
> reading its environment, a script could read its parameters from stdin. 
> If we don't do something like this I don't know how hald would pass a
> passphrase to methods.d/Crypto/Sesame/Setup safely.

Right, OK, I hear you, we should think of something here. Using a pipe
to extract arguments seems like a good idea; I'll factor that in as
another possibility when specifying the mapping from interfaces/methods
to binaries, including how to pass the arguments (environment,
positional parameters, pipe or a combination) (might be specified as
properties you can merge using a .fdi file; might be XML files - we'll

> An alternative is to set the name of a file in
> methods.d/Crypto/Sesame/Setup's environment (ie: PASS_FILE) and write
> Setup to read the passphrase out of that file.  Though this is a solution,
> it is quite ugly.

Ugly in many ways - the system might be mostly read-only like the
Stateless Fedora project.


hal mailing list
hal at

More information about the Hal mailing list