From: "Alex Griffin" <a@ajgrf.com>
To: Ellen Papsch <ellen.papsch@wine-logistix.de>,
Vagrant Cascadian <vagrant@debian.org>,
guix-devel@gnu.org
Subject: Re: Unencrypted boot with encrypted root
Date: Wed, 08 Apr 2020 15:07:35 +0000 [thread overview]
Message-ID: <cee81f39-c46c-4370-9474-337acaacaed5@www.fastmail.com> (raw)
In-Reply-To: <6fc66a2a3f3cd71febb16bab2a0aeb65b6fdd147.camel@wine-logistix.de>
On Wed, Apr 8, 2020, at 12:25 PM, Ellen Papsch wrote:
> These may be dangerous waters. The key file in initrd is like a house
> key under the mattress. A malicious process could look in the well
> defined place and exfiltrate the key. Think state trojan horses. A
> random name would not suffice, because other characteristics may help
> identifying the file (i.e. size).
What's the threat model here? For me, an encrypted disk is only meant to protect my data at rest. If a malicious process is already running on my system as root, then I don't care if they can exfiltrate the key.
--
Alex Griffin
next prev parent reply other threads:[~2020-04-08 15:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 8:59 Unencrypted boot with encrypted root Pierre Neidhardt
2020-04-03 15:32 ` pelzflorian (Florian Pelz)
2020-04-03 15:44 ` Ellen Papsch
2020-04-03 16:13 ` Pierre Neidhardt
2020-04-03 17:16 ` Ellen Papsch
2020-04-03 19:56 ` Guillaume Le Vaillant
2020-04-04 9:02 ` Pierre Neidhardt
2020-05-17 15:39 ` Pierre Neidhardt
2020-05-20 8:49 ` Guillaume Le Vaillant
2020-05-20 9:42 ` Pierre Neidhardt
2020-04-03 19:44 ` pelzflorian (Florian Pelz)
2020-04-04 8:12 ` Ellen Papsch
2020-04-04 10:18 ` pelzflorian (Florian Pelz)
2020-04-06 12:00 ` Ellen Papsch
2020-04-07 9:46 ` Ludovic Courtès
2020-04-07 11:34 ` Ellen Papsch
2020-04-07 20:19 ` Ludovic Courtès
2020-04-08 12:37 ` Ellen Papsch
2020-04-07 15:05 ` Alex Griffin
2020-04-07 16:47 ` Vagrant Cascadian
2020-04-08 12:25 ` Ellen Papsch
2020-04-08 15:07 ` Alex Griffin [this message]
2020-04-08 16:22 ` Vagrant Cascadian
2020-04-08 7:57 ` Pierre Neidhardt
2020-04-08 12:19 ` Alex Griffin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cee81f39-c46c-4370-9474-337acaacaed5@www.fastmail.com \
--to=a@ajgrf.com \
--cc=ellen.papsch@wine-logistix.de \
--cc=guix-devel@gnu.org \
--cc=vagrant@debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.