Conversation
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
tlaurion
left a comment
tlaurion
left a comment
There was a problem hiding this comment.
@UndeadDevel reviewed!
initrd/etc/luks-functions
Outdated
| fi | ||
| echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase | ||
| #make secrets disappear from screen as reencryption can take a long time (we show these to the user again later in whiptail anyway) | ||
| printf "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" |
There was a problem hiding this comment.
Please use "clear" or "reset" instead, provided by busybox. Clear being enough
There was a problem hiding this comment.
On NK Heads 2.1 neither clear nor reset are on the PATH. Will all new versions include it? If so, I will change this.
There was a problem hiding this comment.
Damnit.
2.1 nitrokey doesn't include it
https://github.com/Nitrokey/heads/blob/f7019e80af3549fb38a5f661534b851a7bf9404f/config/busybox.config#L364
There was a problem hiding this comment.
jup, noted - we'll include it
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
This reverts commit ee6f299. Will communicate to the user the need to update checksums instead. Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
|
Okay so I fixed The other issue I'm not touching beyond adding a message to the user as per my alternative suggestion in #1538. The reason is that too much would have to be refactored in order not to make UX worse (e.g. by having user enter the same new passphrase multiple times) and I can't test anything that involves TPM DUK functionality. |
|
@UndeadDevel please update op comment to reflect actual state of PR. I will test in next following days |
|
Done. |
|
Need to test but LGTM |
|
Was included as part of #1541. Closing |
3 participants
Fixes #1538
With the first commit, which addresses point 1 in #1538:
luks_reencryptfunction (superfluous else clause with no unique code)clearto theluks_reencryptfunction to hide the new secrets as re-encryption starts to avoid having the secrets stuck on the screen in plaintext. Since Use a wider window to show the secrets #1543 fixed the final secrets whiptail window, it's appropriate to remove the secrets from screen for the potentially long re-encryption process so that people aren't stuck trying to cover their screen for an hour or more if they are not physically isolated.This PR also addresses point 2 in #1538, using the alternative solution suggested there, namely it informs the user that after a passphrase change or re-encryption the checksums need to be updated and the TPM resealed, if applicable, thus giving pointers to an inexperienced user, who may be wondering why the default boot fails after using the separate "change passphrase" or "re-encrypt LUKS container" functions.