A security update that fixes Calamares bug CAL-405: https://calamares.io/bugs/browse/CAL-405
When installing with a LUKS-encrypted
/ partition, Calamares was always creating a keyfile to decode
/ and storing it in the initramfs. It did that even with an unencrypted separate
/boot partition. As a result, the keyfile would be stored in cleartext on the
/boot partition, and it was possible to unlock the
/ partition without ever entering a passphrase. This completely defeated the security of LUKS.
Please note that this only affects manual partitioning. The automatic partitioning never leaves
/boot unencrypted (and it is, in fact, recommended to also always encrypt
/boot when doing manual partitioning).
This update fixes the
dracutlukscfg module to not add the keyfile to
install_items in the
dracut configuration (so that
dracut will not include it onto the initramfs) if
/boot is separate and unencrypted.
Please login to add feedback.
|submitted||2 years ago|
|in testing||2 years ago|
|in stable||2 years ago|
|modified||2 years ago|