[Libguestfs] [PATCH 2/2] Introduce a --key option in tools that accept keys
Pino Toscano
ptoscano at redhat.com
Thu Sep 20 15:19:14 UTC 2018
On Wednesday, 19 September 2018 16:44:49 CEST Eric Blake wrote:
> On 9/19/18 5:37 AM, Pino Toscano wrote:
> > The majority of the tools have already options (--echo-keys &
> > --keys-from-stdin) to deal with LUKS credentials, although there is no
> > way to automatically provide credentials. --keys-from-stdin is
> > suboptimal, because it is an usable solution only when there is just one
>
> s/an/a/ (English is weird, the choice of 'a' or 'an' before a word
> beginning with 'u' depends on whether the pronunciation resembles soft
> 'uh' [an umbrella] or hard 'yoo' [a unicorn]).
Gahh... will fix, thanks.
> Rather dangerous, as an attacker reading /proc/NNN/cmdline can get at
> the actual key. But useful for testing.
> [...]
We implement the same approach (i.e. a "selector") already for a number
of other options, for example:
* virt-builder/virt-customize --password
* virt-builder/virt-customize --root-password
* virt-builder/virt-customize --ssh-key
That said, using plain passwords/strings is mostly useful for testing
and/or local guests with no importance. In case something even more
secure is needed, we can always implement "fd" types in all the
selectors above (also in ones not related to secrets, like
--machine-readable) -- for example:
virt-customize --root-password fd:5 ...
Might this qualify as possible solution?
--
Pino Toscano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20180920/f6dd06b1/attachment.sig>
More information about the Libguestfs
mailing list