On Tue May 14, 2024 at 7:08 PM EEST, Ignat Korchagin wrote:
> On Tue, May 14, 2024 at 4:43 PM Jarkko Sakkinen wrote:
> >
> > On Tue May 14, 2024 at 6:30 PM EEST, Ignat Korchagin wrote:
> > > On Tue, May 14, 2024 at 4:26 PM Jarkko Sakkinen wrote:
> > > >
> > > > On Tue May 14, 2024 at 6:21 PM EEST
On Tue, May 14, 2024 at 4:43 PM Jarkko Sakkinen wrote:
>
> On Tue May 14, 2024 at 6:30 PM EEST, Ignat Korchagin wrote:
> > On Tue, May 14, 2024 at 4:26 PM Jarkko Sakkinen wrote:
> > >
> > > On Tue May 14, 2024 at 6:21 PM EEST, Jarkko Sakkinen wrote:
> > > > On Tue May 14, 2024 at 5:30 PM EEST, Ja
On Tue, May 14, 2024 at 4:54 PM James Bottomley
wrote:
>
> On Tue, 2024-05-14 at 16:38 +0100, Ignat Korchagin wrote:
> > On Tue, May 14, 2024 at 4:30 PM James Bottomley
> > wrote:
> > >
> > > On Tue, 2024-05-14 at 14:11 +0100, Ignat Korchagin wrote:
> > > > * if someone steals one of the disks
On Tue, 2024-05-14 at 16:38 +0100, Ignat Korchagin wrote:
> On Tue, May 14, 2024 at 4:30 PM James Bottomley
> wrote:
> >
> > On Tue, 2024-05-14 at 14:11 +0100, Ignat Korchagin wrote:
> > > * if someone steals one of the disks - we don't want them to
> > > see it has encrypted data (no LUKS head
On Tue May 14, 2024 at 6:30 PM EEST, Ignat Korchagin wrote:
> On Tue, May 14, 2024 at 4:26 PM Jarkko Sakkinen wrote:
> >
> > On Tue May 14, 2024 at 6:21 PM EEST, Jarkko Sakkinen wrote:
> > > On Tue May 14, 2024 at 5:30 PM EEST, Jarkko Sakkinen wrote:
> > > > On Tue May 14, 2024 at 5:00 PM EEST, Ja
On Tue, May 14, 2024 at 4:30 PM James Bottomley
wrote:
>
> On Tue, 2024-05-14 at 14:11 +0100, Ignat Korchagin wrote:
> > * if someone steals one of the disks - we don't want them to see it
> > has encrypted data (no LUKS header)
>
> What is the use case that makes this important? In usual opera
On Tue, 2024-05-14 at 14:11 +0100, Ignat Korchagin wrote:
> * if someone steals one of the disks - we don't want them to see it
> has encrypted data (no LUKS header)
What is the use case that makes this important? In usual operation
over the network, the fact that we're setting up encryption is
On Tue, May 14, 2024 at 4:26 PM Jarkko Sakkinen wrote:
>
> On Tue May 14, 2024 at 6:21 PM EEST, Jarkko Sakkinen wrote:
> > On Tue May 14, 2024 at 5:30 PM EEST, Jarkko Sakkinen wrote:
> > > On Tue May 14, 2024 at 5:00 PM EEST, Jarkko Sakkinen wrote:
> > > > On Tue May 14, 2024 at 4:11 PM EEST, Igna
On Tue May 14, 2024 at 6:21 PM EEST, Jarkko Sakkinen wrote:
> On Tue May 14, 2024 at 5:30 PM EEST, Jarkko Sakkinen wrote:
> > On Tue May 14, 2024 at 5:00 PM EEST, Jarkko Sakkinen wrote:
> > > On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> > > > For example, a cheap NAS box with no in
On Tue May 14, 2024 at 5:30 PM EEST, Jarkko Sakkinen wrote:
> On Tue May 14, 2024 at 5:00 PM EEST, Jarkko Sakkinen wrote:
> > On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> > > For example, a cheap NAS box with no internal storage (disks connected
> > > externally via USB). We want:
On Tue, May 14, 2024 at 3:11 PM James Bottomley
wrote:
>
> On Tue, 2024-05-14 at 10:50 +0100, Ignat Korchagin wrote:
> > On Mon, May 13, 2024 at 11:33 PM James Bottomley
> > wrote:
> > >
> > > On Mon, 2024-05-13 at 18:09 +0100, Ignat Korchagin wrote:
> > > [...]
> > > > TPM derived keys attempt t
On Tue May 14, 2024 at 5:41 PM EEST, Ignat Korchagin wrote:
> On Tue, May 14, 2024 at 3:00 PM Jarkko Sakkinen wrote:
> >
> > On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> > > For example, a cheap NAS box with no internal storage (disks connected
> > > externally via USB). We want:
On Tue, May 14, 2024 at 3:00 PM Jarkko Sakkinen wrote:
>
> On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> > For example, a cheap NAS box with no internal storage (disks connected
> > externally via USB). We want:
> > * disks to be encrypted and decryptable only by this NAS box
>
>
On Tue May 14, 2024 at 5:00 PM EEST, Jarkko Sakkinen wrote:
> On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> > For example, a cheap NAS box with no internal storage (disks connected
> > externally via USB). We want:
> > * disks to be encrypted and decryptable only by this NAS box
>
On Tue, 2024-05-14 at 10:50 +0100, Ignat Korchagin wrote:
> On Mon, May 13, 2024 at 11:33 PM James Bottomley
> wrote:
> >
> > On Mon, 2024-05-13 at 18:09 +0100, Ignat Korchagin wrote:
> > [...]
> > > TPM derived keys attempt to address the above use cases by
> > > allowing applications to determi
On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote:
> For example, a cheap NAS box with no internal storage (disks connected
> externally via USB). We want:
> * disks to be encrypted and decryptable only by this NAS box
So how this differs from LUKS2 style, which also systemd supports wh
On Tue, May 14, 2024 at 1:09 PM Jarkko Sakkinen wrote:
>
> On Tue May 14, 2024 at 1:05 PM EEST, Ignat Korchagin wrote:
> > On Tue, May 14, 2024 at 1:28 AM Jarkko Sakkinen wrote:
> > >
> > > On Mon May 13, 2024 at 8:11 PM EEST, Ignat Korchagin wrote:
> > > > On Fri, May 3, 2024 at 11:16 PM Ignat K
On Tue May 14, 2024 at 1:05 PM EEST, Ignat Korchagin wrote:
> On Tue, May 14, 2024 at 1:28 AM Jarkko Sakkinen wrote:
> >
> > On Mon May 13, 2024 at 8:11 PM EEST, Ignat Korchagin wrote:
> > > On Fri, May 3, 2024 at 11:16 PM Ignat Korchagin
> > > wrote:
> > > I would like to point out to myself I
On Tue, May 14, 2024 at 1:28 AM Jarkko Sakkinen wrote:
>
> On Mon May 13, 2024 at 8:11 PM EEST, Ignat Korchagin wrote:
> > On Fri, May 3, 2024 at 11:16 PM Ignat Korchagin
> > wrote:
> > I would like to point out to myself I was wrong: it is possible to ask
> > the kernel to generate a trusted ke
On Mon, May 13, 2024 at 11:33 PM James Bottomley
wrote:
>
> On Mon, 2024-05-13 at 18:09 +0100, Ignat Korchagin wrote:
> [...]
> > TPM derived keys attempt to address the above use cases by allowing
> > applications to deterministically derive unique cryptographic keys
> > for their own purposes di
On Mon May 13, 2024 at 8:11 PM EEST, Ignat Korchagin wrote:
> On Fri, May 3, 2024 at 11:16 PM Ignat Korchagin wrote:
> I would like to point out to myself I was wrong: it is possible to ask
> the kernel to generate a trusted key inside the kernel locally with
> "keyctl add trusted kmk "new 32" @u"
On Mon, 2024-05-13 at 18:09 +0100, Ignat Korchagin wrote:
[...]
> TPM derived keys attempt to address the above use cases by allowing
> applications to deterministically derive unique cryptographic keys
> for their own purposes directly from the TPM seed in the owner
> hierarchy. The idea is that w
On Fri, May 3, 2024 at 11:16 PM Ignat Korchagin wrote:
>
> TPM derived keys get their payload from an HMAC primary key in the owner
> hierarchy mixed with some metadata from the requesting process.
>
> They are similar to trusted keys in the sense that the key security is rooted
> in the TPM, but
On Sat, May 4, 2024 at 5:35 PM Jarkko Sakkinen wrote:
>
> On Sat May 4, 2024 at 5:51 PM EEST, Jarkko Sakkinen wrote:
> > On Sat May 4, 2024 at 4:55 PM EEST, Ben Boeckel wrote:
> > > On Sat, May 04, 2024 at 03:21:11 +0300, Jarkko Sakkinen wrote:
> > > > I have no idea for what the key created with
On Sat May 4, 2024 at 5:51 PM EEST, Jarkko Sakkinen wrote:
> On Sat May 4, 2024 at 4:55 PM EEST, Ben Boeckel wrote:
> > On Sat, May 04, 2024 at 03:21:11 +0300, Jarkko Sakkinen wrote:
> > > I have no idea for what the key created with this is even used, which
> > > makes this impossible to review.
>
On Sat May 4, 2024 at 4:55 PM EEST, Ben Boeckel wrote:
> On Sat, May 04, 2024 at 03:21:11 +0300, Jarkko Sakkinen wrote:
> > I have no idea for what the key created with this is even used, which
> > makes this impossible to review.
>
> Additionally, there is nothing in Documentation/ for how userspa
On Sat, May 04, 2024 at 03:21:11 +0300, Jarkko Sakkinen wrote:
> I have no idea for what the key created with this is even used, which
> makes this impossible to review.
Additionally, there is nothing in Documentation/ for how userspace might
use or create them. This includes things like their des
On Sat May 4, 2024 at 1:16 AM EEST, Ignat Korchagin wrote:
> TPM derived keys get their payload from an HMAC primary key in the owner
> hierarchy mixed with some metadata from the requesting process.
What metadata?
What is "the requesting process"?
>
> They are similar to trusted keys in the sens
28 matches
Mail list logo
