Key sharing
Teddy Hogeborn
teddy at recompile.se
Thu Jul 21 21:47:31 CEST 2022
Dick Middleton <dick at lingbrae.com> writes:
> I've been using the key sharing feature of mandos to unlock
> resume/swap partition using the same passphrase as the root partition.
>
> I've been having a lot of trouble recently keeping this all working.
> I was using dracut to build my initramfs but that now renders my
> system unbootable.
I would guess that this is a matter of timing. The initial root image
generated by dracut uses the password-agent(8mandos) program, which will
run the Mandos client, get a password from it, and use that password to
answer all active password questions (asked using the systemd “Password
Agent system”), and then exit. Normally, only one password question is
active and answered, but it is perfectly possible that another password
question is created while the first question is still active. Both
password questions will then be answered before password-agent(8mandos)
exits. But if the timing changed (for some reason outside of our
control), then the second password question will not be answered by
password-agent(8mandos). I would guess that this is what happened here.
> So I've reverted to using initramfs-tools and at least I can boot.
> However it no longer unlocks the swap partition; it prompts me
> separately.
Yes. There is a previous discussion about this with Mike Klein here:
https://mail.recompile.se/pipermail/mandos-dev/2020-May/thread.html
In short, Mandos only provides the password once. You can try to use
the workaround discussed in the above thread (modifying the
mandos-to-cryptroot-unlock script), but we don’t officially support it,
and that only works when using initramfs-tools.
What we suggest is always to simply have a different, separate (randomly
generated, secure) password to each of your secondary devices, and keep
those passwords in files on the primary root file system (which is
itself unlocked by Mandos). The resulting security should be the same.
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20220721/83eebbf4/attachment.sig>
More information about the Mandos-Dev
mailing list