[Bug 1137056] New: Automatically add a custom generated key to initrd when installing to LVM/LUKS
http://bugzilla.opensuse.org/show_bug.cgi?id=1137056 Bug ID: 1137056 Summary: Automatically add a custom generated key to initrd when installing to LVM/LUKS Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: x86-64 OS: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: alexander.shchadilov@gmail.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- If an encrypted system partition is configured during installation openSUSE puts /boot inside of it. While this scheme has certain advantages from the security side of things, it also brings an inconvenience of entering LUKS password twice. This inconvenience can be circumvented through adding a custom key that is used by system to access encrypted partitions; thus GRUB becomes the only software that asks for password. openSUSE wiki: https://en.opensuse.org/SDB:Encrypted_root_file_system http://web.archive.org/web/20190601195245/https://en.opensuse.org/SDB:Encryp... Arch wiki: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#En...) http://web.archive.org/web/20190522050457/https://wiki.archlinux.org/index.p... So it is a feature request for an automated procedure during OS install. There are no security drawbacks AFAIK. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137056 http://bugzilla.opensuse.org/show_bug.cgi?id=1137056#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Andreas.Stieger@gmx.de --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> --- This has been frequently requested. But please be aware that the security drawback is that in the running system, the keyfile would be readable in plain from /boot. Not a good idea. The better solution is the implementation in grub that allows it to pass the passphrase to the booted system without it appearing in plain in the kernel command line or the logs. This request should be closed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137056 http://bugzilla.opensuse.org/show_bug.cgi?id=1137056#c2 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com --- Comment #2 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- I am opposed to this, as a security risk. Yes, the "initrd" file is normally only readable by root. However, if I install Xen support, then the "initrd" is copied into the EFI partition where it is more easily readable by anyone. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1137056 http://bugzilla.opensuse.org/show_bug.cgi?id=1137056#c9 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|Andreas.Stieger@gmx.de | --- Comment #9 from Andreas Stieger <Andreas.Stieger@gmx.de> --- (In reply to Lukas Ocilka from comment #8)
This actually needs JIRA entry and everyone involved to design and discuss it there (please).
That is SUSE internal, so no involvement of the community required on this I guess. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com