Re: [Libguestfs] [PATCH 2/2] Introduce a --key option in tools that accept keys
On Wednesday, 19 September 2018 16:44:49 CEST Eric Blake wrote:
On 9/19/18 5:37 AM, Pino Toscano wrote:
> The majority of the tools have already options (--echo-keys &
> --keys-from-stdin) to deal with LUKS credentials, although there is no
> way to automatically provide credentials. --keys-from-stdin is
> suboptimal, because it is an usable solution only when there is just one
s/an/a/ (English is weird, the choice of 'a' or 'an' before a word
beginning with 'u' depends on whether the pronunciation resembles soft
'uh' [an umbrella] or hard 'yoo' [a unicorn]).
Gahh... will fix, thanks.
Rather dangerous, as an attacker reading /proc/NNN/cmdline can get at
the actual key. But useful for testing.
[...]
We implement the same approach (i.e. a "selector") already for a number
of other options, for example:
* virt-builder/virt-customize --password
* virt-builder/virt-customize --root-password
* virt-builder/virt-customize --ssh-key
That said, using plain passwords/strings is mostly useful for testing
and/or local guests with no importance. In case something even more
secure is needed, we can always implement "fd" types in all the
selectors above (also in ones not related to secrets, like
--machine-readable) -- for example:
virt-customize --root-password fd:5 ...
Might this qualify as possible solution?
--
Pino Toscano
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)