|
|
f20cde |
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
|
|
|
f20cde |
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
|
|
|
f20cde |
@@ -101,7 +101,7 @@
|
|
|
f20cde |
|
|
|
f20cde |
This command performs four steps:
|
|
|
f20cde |
|
|
|
f20cde |
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
|
f20cde |
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
|
f20cde |
2. Encrypts the new key with Clevis.
|
|
|
f20cde |
3. Stores the Clevis JWE in the LUKS header.
|
|
|
f20cde |
4. Enables the new key for use with LUKS.
|
|
|
f20cde |
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
|
|
|
f20cde |
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
|
|
|
f20cde |
@@ -20,7 +20,7 @@
|
|
|
f20cde |
|
|
|
f20cde |
This command performs four steps:
|
|
|
f20cde |
|
|
|
f20cde |
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
|
f20cde |
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
|
f20cde |
2. Encrypts the new key with Clevis.
|
|
|
f20cde |
3. Stores the Clevis JWE in the LUKS header.
|
|
|
f20cde |
4. Enables the new key for use with LUKS.
|
|
|
f20cde |
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
|
|
|
f20cde |
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
|
|
|
f20cde |
@@ -875,6 +875,7 @@
|
|
|
f20cde |
[ -z "${DEV}" ] && return 1
|
|
|
f20cde |
|
|
|
f20cde |
local dump filter bits
|
|
|
f20cde |
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
|
|
|
f20cde |
dump=$(cryptsetup luksDump "${DEV}")
|
|
|
f20cde |
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
|
|
f20cde |
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
|
|
f20cde |
@@ -886,6 +887,9 @@
|
|
|
f20cde |
fi
|
|
|
f20cde |
|
|
|
f20cde |
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
|
|
f20cde |
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
|
|
f20cde |
+ bits="${MAX_ENTROPY_BITS}"
|
|
|
f20cde |
+ fi
|
|
|
f20cde |
pwmake "${bits}"
|
|
|
f20cde |
}
|
|
|
f20cde |
|