[bug #57678] Add a possibility to transfer passphrase to OS when unlocking encrypted container

[Alexander Shchadilov]

URL:
  <https://savannah.gnu.org/bugs/?57678>

                 Summary: Add a possibility to transfer passphrase to OS when
unlocking encrypted container
                 Project: GNU GRUB
            Submitted by: kadilov
            Submitted on: Пн. 27 янв. 2020 14:12:27
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Feature Request
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 
                 Release: 2.02
         Reproducibility: None
         Planned Release: None

    _______________________________________________________

Details:

Currently using GRUB with GRUB_ENABLE_CRYPTODISK option for unlocking
encrypted device may lead to a scenario when user needs to enter passphrase
twice, once for GRUB and once for OS booting software. If LUKS is used, a
common workaround that improves user experience involves generating a LUKS key
that is permanently stored inside the encrypted container. 
Having a way to securely transfer the passphrase to OS would make possible a
more streamlined configuration.

Workarounds described in community documentation of Linux distributions:
https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs
https://en.opensuse.org/SDB:Encrypted_root_file_system

This suggestion was originally posted by Andreas Stieger on openSUSE bug
tracker:
https://bugzilla.suse.com/show_bug.cgi?id=1137056#c1




    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?57678>

_______________________________________________
  Сообщение отправлено по Savannah
  https://savannah.gnu.org/