From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Thu, 15 Apr 2010 08:24:57 +0200 (CEST)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o3F6OtUv021922
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <dm-crypt@saout.de>; Thu, 15 Apr 2010 02:24:55 -0400
Received: from [10.36.4.110] (vpn1-4-110.ams2.redhat.com [10.36.4.110])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o3F6OrFV014479
	for <dm-crypt@saout.de>; Thu, 15 Apr 2010 02:24:54 -0400
Message-ID: <4BC6B136.6090503@redhat.com>
Date: Thu, 15 Apr 2010 08:24:54 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <t2g61722e191004120810q3b2a7a36q592cd1cf12790db@mail.gmail.com>	<20100412171540.GA3138@tansi.org>	<20100412175856.GA12353@fancy-poultry.org>	<20100413154850.GA19142@tansi.org>	<20100413193831.GA8772@fancy-poultry.org>	<4BC4CC14.6080408@redhat.com>	<v2q61722e191004140611zc1eb0076xe17b9fdf80b09594@mail.gmail.com>	<20100414153050.GA3966@tansi.org>
	<4BC60CB2.8030902@gmail.com> <20100414233054.GC9776@tansi.org>
In-Reply-To: <20100414233054.GC9776@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] avoid keyloggers: enter password with mouse	(virtual
 keyboard)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 04/15/2010 01:30 AM, Arno Wagner wrote:
> What I do not see in the current cryptsetup though, is an 
> option to read the passphrase from stdin, file or named pipe. 
> That would be a reasonable extension IMO.

As mentioned in other mail, it can read passphrase from stdin,
also keyfile is supported.

But for these types of applications is better use libcryptsetup,
you can better control which buffer contain passphrase so you can
wipe it. Also locking of memory (avoid to swap out memory
with sensitive data) is better controlled through library then
in some shell script.

An example of code snip to open LUKS device is here
http://code.google.com/p/cryptsetup/issues/detail?id=58&can=1#c1

Milan