On Mon, 09 Jul 2018 at 10:14:50 -0700, Kyle Rankin wrote: > Given it is just a shell script, I would vote for incorporating OpenPGP > smartcard support directly into cryptsetup-initramfs so it's available for > users who want encrypted storage without having to know about a standalone > package.
With my cryptsetup maintainer hat on, I don't mind either way. In any case we shouldn't ship multiple hooks providing essentially the same functionalities (#888916, #903163). I have a Gnuk Token so I should be able to test and maintain this :-) In general, rather than using our internal interface, authors of third party hooks should either 1/ ask us to document and publish the bits they need, or 2/ convince us to incorporate their hook & script into cryptsetup-initramfs, effectively making us maintainers. Back to https://github.com/eriknellessen/gpg-encrypted-root, I see the hook is copying private key material to the initramfs, but /initrd.img is just a cpio archive which is created with mode 0644 minus umaskā¦ so without additional protection in place [0] (which the README doesn't mention) any local user can read the (hopefully symmetrically encrypted) private key material! It's not clear to me why they need the private key files, but at the very least a loud warning should be shown if the umask is too permissive. -- Guilhem. [0] For instance setting UMASK=0077 in /etc/initramfs-tools/initramfs.conf.
signature.asc
Description: PGP signature