Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add silent fail feature #85

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add silent fail feature #85

wants to merge 3 commits into from

Conversation

dramm33
Copy link
Contributor

@dramm33 dramm33 commented Sep 1, 2021

As per #68, I added an option to auto-skip unlock.

I called it "silent fail" since I lack a better name for it.
It's not really silent since it still outputs that decryption was tried and skipped.

@dramm33
Update ykfde.conf
b9e07fd 
Add silent fail option.
@dramm33
Update ykfde
874a38a 
Add silent fail logic
@dramm33
Update ykfde.conf
c42f36e 
Default without silent fail,
@Vincent43
Copy link
Collaborator

Vincent43 commented Sep 1, 2021
edited
Loading

I'm bit skeptical about adding this as it may be too uncommon usecase while I'm trying to limit number of settings in order to make code simpler. Do you ever need to unlock this partition at boot? If not then you may just remove ykfde hook from initramfs and unlock it later with ykfde-open if needed.

@dramm33
Copy link
Contributor Author

dramm33 commented Sep 2, 2021

I'm using ykfde to unlock a fully encrypted disk (which doesn't have OS/boot files).

That being said, the files on the disk are accessed by some system services, which means unlocking it at login isn't an option.

The main advantage I see when using the hook is that when I don't want the drive unlocked, I just need to remove the Yubikey before starting the computer. And if I need to use the Yubikey for some other authentication later, I can just plug it in without worrying about having the drive accidentally unlocked.

As for being too uncommon, I guess it depends whether or not you want to consider computers with multiple drives or not. I agree that it doesn't make sense for something like a laptop with only one fully encrypted disk.

@Vincent43
Copy link
Collaborator

I think what's uncommon in your setup is not multiple drives used but the fact that OS data is unencrypted which doesn't follow Full disk encryption concept for which this project was dedicated (as the name of it tells).

@dramm33
Copy link
Contributor Author

dramm33 commented Sep 2, 2021

Yeah, I will eventually encrypt the OS disk as well. But I'm postponing since I will still need to keep the other disk on a different level of security. So I'd need to use two yubikeys (one for OS disk and the other for protected data disk).

Since the computer is on most of the time, having everything under one encryption would mean keeping unnecessary data unencrypted all the time. Which I'm not a big fan of.

Anyway, I digress. Feel free to close the request.

@agherzan
Copy link
Owner

agherzan commented Sep 3, 2021

I see @Vincent43 's point on added complexity for an uncommon use-case. I find your setup very custom and I'm not sure if we have more people that would use something similar. I'd say to park this for a while and wait for feedback on the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dramm33 @Vincent43 @agherzan