* [dm-crypt] kernel: CONFIG_KEYS
@ 2017-11-26 8:53 Karel
2017-11-26 9:23 ` Milan Broz
0 siblings, 1 reply; 2+ messages in thread
From: Karel @ 2017-11-26 8:53 UTC (permalink / raw)
To: dm-crypt@saout.de
Hello,
in linux kernel, there is this option: CONFIG_KEYS
"Security options" -> "Enable access key retention support"
from the description it is not clear to me whether this has any
relevance to cryptsetup.
Does cryptsetup use this facility ?
thanks,
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dm-crypt] kernel: CONFIG_KEYS
2017-11-26 8:53 [dm-crypt] kernel: CONFIG_KEYS Karel
@ 2017-11-26 9:23 ` Milan Broz
0 siblings, 0 replies; 2+ messages in thread
From: Milan Broz @ 2017-11-26 9:23 UTC (permalink / raw)
To: Karel, dm-crypt@saout.de
On 11/26/2017 09:53 AM, Karel wrote:
> Hello,
>
> in linux kernel, there is this option: CONFIG_KEYS
>
> "Security options" -> "Enable access key retention support"
>
> from the description it is not clear to me whether this has any
> relevance to cryptsetup.
>
> Does cryptsetup use this facility ?
Hi,
new cryptsetup (version 2) will use kernel keyring (for dm-crypt volume
key and also for activation by so-called token in LUKS2).
But it will be optional, and cryptsetup should still work even without it.
If you are using LUKS version 1 (almost every device today), kernel keyring
is not used.
But keyring can be used for LUKS by some other services
(systemd cache passphrase this way already).
So I would suggest to enable it in your kernel, despite it is not yet necessary
to use in cryptsetup.
Milan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-26 9:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-26 8:53 [dm-crypt] kernel: CONFIG_KEYS Karel
2017-11-26 9:23 ` Milan Broz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.