Create pureos-disk-encryption service
Closed, ResolvedPublic

Description

At the moment, our initial (OEM) system setup is calling scripts to update the disk encryption password and perform other disk-encryption related tasks.
This is bad for security (passwords can show up in logs) and usability (actions block the UI, we could perform many longer-running tasks in the background).

Therefore, I intend to create a very small DBus-activated service to perform disk encryption jobs on PureOS. This thing will be very specific to the way we install PureOS OEM, so it doesn't make sense to make a generic project out of it.

mak created this task.Apr 5 2018, 9:49 PM
mak raised the priority of this task from "Normal" to "High".Nov 30 2018, 1:16 AM

This was actually pushed back too many times, and I should address this sooner - especially since there is other pending work on this module.

mak closed this task as "Resolved".Dec 6 2018, 9:49 PM

The helper script has now been split out into a new dbus-activated daemon. It's not the quality thing that I want yet, as the code needs some refactoring to work properly in an async way and the interface is quite crude, but it's good enough for a start.
See https://source.puri.sm/pureos/core/pureos-init-disk-crypto

This resolves a bunch of UI locking issues as well as the password being visible in (encrypted) logs. I also added a workaround for the swap path issue to ensure the system never fails to unlock swap on the first boot after initial setup.

Add Comment