From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Tue, 28 Dec 2010 19:59:40 +0100 (CET)
Message-ID: <4D1A3395.5070403@redhat.com>
Date: Tue, 28 Dec 2010 19:59:33 +0100
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <DA0E1B0401643E4E9750810C61C8697F0496AD83@ISS-EXM1005.deutschepost.dpwn.com>
 <4D19D25E.5090106@redhat.com>
 <DA0E1B0401643E4E9750810C61C8697F0496AD88@ISS-EXM1005.deutschepost.dpwn.com>
In-Reply-To: <DA0E1B0401643E4E9750810C61C8697F0496AD88@ISS-EXM1005.deutschepost.dpwn.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] ext3 + dm_crypt performance impact (CentOS 5.4 AMD64)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Robert.Heinzmann@deutschepost.de
Cc: dm-crypt@saout.de

On 12/28/2010 03:10 PM, Robert.Heinzmann@deutschepost.de wrote:
> What I also found was, that doing a simple
> 
>   "dmsetup table --showkeys" actually shows the dm_crypt master key in
> hex for the disk
> 
> Isn't that a little bit too easy ? Should dmsetup not at least scrumble
> it (xxxxx) ?

That's why --showkeys is not default ;-)

And all automated customer-oriented reporting systems must not use this option
(see output from sosreport ot lvmdump - no key there)

If you are root, you have many other ways how to get key from memory,
hiding it here makes no sense.

> Otherwise this information can easily leak out into ticketing systems,
> support attachents etc.

Nope, --showkeys must be explicitly given by user for dmsetup.

Milan