mandos-client on Debian Buster
Teddy Hogeborn
teddy at recompile.se
Tue Sep 3 18:47:36 CEST 2019
Birger Brunswiek <birger at brunswiek.org> writes:
> Well there is one more issue. Only my root device is decrypted at boot
> time. Before I upgraded cryptsetup and cryptsetup-initramfs I could
> work around the issue by reverting revision 906
> (https://bzr.recompile.se/loggerhead/mandos/trunk/revision/906). With
> the new cryptsetup mandos-to-cryptroot-unlock is used but the issue is
> essentially the same. The retrieved key is only used to decrypt the
> root device but not other devices scripts/local-top/cryptroot wants to
> open. If I remove the break at
> https://bzr.recompile.se/loggerhead/mandos/trunk/view/970/mandos-to-cryptroot-unlock#L72
> it works. The better way is probably to restart the inner loop. Even
> better would be to determine how many devices still need to be opened
> and only break if there are none left.
Hmm, Mandos is really meant to unlock only the root device, since if you
have additional devices to unlock, you could just store the keys to
those additional devices directly in files on that root file system,
possibly somewhere in the /etc/keys directory. Is there a reason for
why you want to use Mandos to unlock more than one device? What threat
model do you mean to defend against using this setup?
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20190903/c378b460/attachment.sig>
More information about the Mandos-Dev
mailing list