On 10/29/23 22:01, Jonathan Billings wrote:
The point I’m making is that the decryption passphrase should not be accessible
to any root level process, be it a user with sudo or a compromised service.
This is why you should create a backup passphrase in a different keyslot and
store it someplace secure, just in case.
The point here is not about getting the passphrase, it is about
getting the real decryption key.
Storing the decryption key in a safe place is a lot better than
relying on things that can break in many ways (luks header overwritten,
broken TPM, new machine, ...).
The real decryption key makes the difference between having data
or losing them; making all recovery strategies impossible is not
a good idea.
Regards.
--
Roberto Ragusa mail at robertoragusa.it
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
