diff options
| author | Corey Hinshaw | 2018-10-10 20:57:59 -0400 |
|---|---|---|
| committer | Corey Hinshaw | 2018-10-10 20:57:59 -0400 |
| commit | c63b4650d320be9c3b247c130fbe39aa9ae66170 (patch) | |
| tree | 080630b4410fb0937809903fd4265f24b5355c30 | |
| parent | 1828f7ab7edddea75345fbe4a78942cefecd8325 (diff) | |
| download | aur-c63b4650d320be9c3b247c130fbe39aa9ae66170.tar.gz | |
Securely remove keyfile from memory
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | PKGBUILD | 4 | ||||
| -rw-r--r-- | hook_tpm2 | 7 |
3 files changed, 9 insertions, 6 deletions
@@ -1,6 +1,6 @@ pkgbase = mkinitcpio-tpm2-encrypt pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile - pkgver = 1.1 + pkgver = 1.2 pkgrel = 1 url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ arch = any @@ -11,7 +11,7 @@ pkgbase = mkinitcpio-tpm2-encrypt source = hook_tpm2 source = README.md sha256sums = baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554 - sha256sums = e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915 + sha256sums = 93f1fb0ac7539480d434ee76ccbef1f0953e15d6700be8be67273c5bfaeb79dd sha256sums = 153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51 pkgname = mkinitcpio-tpm2-encrypt @@ -1,7 +1,7 @@ # Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com> pkgname=mkinitcpio-tpm2-encrypt -pkgver=1.1 +pkgver=1.2 pkgrel=1 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile" url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/" @@ -12,7 +12,7 @@ source=('install_tpm2' 'hook_tpm2' 'README.md') sha256sums=('baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554' - 'e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915' + '93f1fb0ac7539480d434ee76ccbef1f0953e15d6700be8be67273c5bfaeb79dd' '153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51') package() { diff --git a/hook_tpm2 b/hook_tpm2 index d19eb5e7e3bd..53380262a39b 100644 --- a/hook_tpm2 +++ b/hook_tpm2 @@ -171,8 +171,11 @@ EOF } run_cleanuphook() { - # Remove key if still present - rm -f "$ckeyfile" + # Securely delete key if still present + if [ -f "$ckeyfile" ]; then + dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null + rm -f "$ckeyfile" + fi } # vim: set ft=sh ts=4 sw=4 et: |