rinigus | piggz: encryption settings GUI: https://forum.sailfishos.org/t/rfc-revision-of-home-encryption-on-sfos/7486/53 | 14:27 |
---|---|---|
T42_ | <adampigg> Rinigus, will lool later :) | 14:28 |
rinigus | building at OBS now and then will deal with docs | 14:28 |
T42_ | <adampigg> Lbt: obs task for you :) | 14:29 |
rinigus | @eugenio_g7: missed your question regarding LV renaming: yes, maybe it would be sufficient to rename and PRs are welcome for it. it adds complexity on our side. there is also philosophical question regarding removal of old pin - it is possible that the data will still be there on storage device and could lead to attack through getting that data, finding volume encryption key, and decrypting the volume using it | 18:51 |
rinigus | I presume that reencryption could be done as well. I guess (not sure though) it does change master key in LUKS. so that could be also an option. but again, it would add more complexity for developers | 18:53 |
piggz | rinigus: hwcrypt appers to work here | 20:49 |
T42_ | <eugenio_g7> rinigus: I think the only fringe case would be that if an adversary dumped the previous LUKS header they could bruteforce the pin-only slot and then obtaining the master key. cryptsetup-reencrypt would solve that as you said, but I think it's overkill (even more so that if said adversary had access to dump the luks header they could do whatever they want on the root filesystem as well, so encryption would be pointless) | 20:59 |
T42_ | <eugenio_g7> on the flip side, having encryption-open rename the LV if necessary would allow a clear upgrade path for Sailfish X devices as well, i.e. one could flash a fresh image, install the encryption-open bits, replacing the slot and be good to go - of course this needs to be tested regularly so not sure if it would be worth it | 21:03 |
rinigus | piggz: excellent! I will have to finish docs tomorrow, but it is getting there | 21:38 |
rinigus | @eugenio_g7: that line of thought would work assuming that the header is overwritten in the same physical spot. Which maybe not true for our type of storage. So renencrypt could be more reasonable than what it seems ... | 21:41 |
rinigus | Let's see if we get too annoyed with the reflash/formmatting to start working on such smooth update | 21:42 |
T42_ | <XAP2P> @edp_17 what about sfos for i9100? was going to buy this device, and something version 3.4 confuses | 21:49 |
RealRaven | Evening | 23:12 |
Generated by irclog2html.py 2.17.1 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!