Am Mittwoch, den 02.02.2005, 20:05 -0800 schrieb Matt Mackall: > On Thu, Feb 03, 2005 at 03:34:29AM +0100, Christophe Saout wrote: > > The keyring API seems very flexible. You can define your own type of > > keys and give them names. Well, the name is probably irrelevant here and > > should be chosen randomly but it's less likely to collide with someone > > else. > > Dunno here, seems that having one tool that gave the kernel a key named > "foo" and then telling dm-crypt to use key "foo" is probably not a bad > way to go. Then we don't have stuff like "echo <key> | dmsetup create" > and the like and the key-handling smarts can all be put in one > separate place.
Yes. I could also change cryptsetup to not mlockall the whole application just because the key is passed down to libdevmapper which does not treat parameters with special care. > Getting from here to there might be interesting though. Perhaps we can > teach dm-crypt to understand keys of the form "keyname:<foo>"? in > addition to raw keys to keep compatibility. Might even be possible to > push this down into crypt_decode_key() (or a smarter variant of same). > > Meanwhile, I'd still like to hide the raw key in crypt_status(). Well, I don't. I don't know any tools that actually use the DM_DEVICE_TABLE command except cryptsetup. I don't like to make the interface inconsistent just because there might be an incompetent root sitting in front of the machine.
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil