Page MenuHomePureOS Tracker
Create Task
Maniphest T379

Create pureos-disk-encryption service
Closed, ResolvedPublic
Actions

Description

At the moment, our initial (OEM) system setup is calling scripts to update the disk encryption password and perform other disk-encryption related tasks.
This is bad for security (passwords can show up in logs) and usability (actions block the UI, we could perform many longer-running tasks in the background).

Therefore, I intend to create a very small DBus-activated service to perform disk encryption jobs on PureOS. This thing will be very specific to the way we install PureOS OEM, so it doesn't make sense to make a generic project out of it.

Related Objects

Event Timeline

mak created this task.Apr 5 2018, 14:49
mak raised the priority of this task from Normal to High.Nov 29 2018, 17:16

This was actually pushed back too many times, and I should address this sooner - especially since there is other pending work on this module.

mak closed this task as Resolved.Dec 6 2018, 13:49

The helper script has now been split out into a new dbus-activated daemon. It's not the quality thing that I want yet, as the code needs some refactoring to work properly in an async way and the interface is quite crude, but it's good enough for a start.
See https://source.puri.sm/pureos/core/pureos-init-disk-crypto

This resolves a bunch of UI locking issues as well as the password being visible in (encrypted) logs. I also added a workaround for the swap path issue to ensure the system never fails to unlock swap on the first boot after initial setup.