# Password-free wallet under encrypted root?

## knifeyspoony

Hi,

My system has LUKS-encrypted swap and root file systems. For my convenience, I'd like kwallet to require no master password. Would it expose me to any extra risk? (I don't think kwallet (KDE 4.3.3) can use my cached login or LUKS passwords. Am I right?)

----------

## Hu

Any process which could connect to KWallet might be able to obtain passwords from it silently if you have no password on the wallet itself.  If you are confident that your system will not run such processes, you should be fine.  Passwords for LUKS are typically entered directly into the cryptsetup prompt, and would not be cached in KWallet.  After all, if your rootfs is inside a LUKS volume, how could KWallet be running to obtain the password to cache it?  I am not sure what you mean by your "cached login" password.

----------

## knifeyspoony

 *Quote:*   

> Passwords for LUKS are typically entered directly into the cryptsetup prompt, and would not be cached in KWallet. After all, if your rootfs is inside a LUKS volume, how could KWallet be running to obtain the password to cache it?

 

TrueCrypt is an open-source utility with an excellent reputation for its whole-disk encryption of Windows systems. TC's Windows userspace program is able to obtain my TC pre-boot system authentication passcode in order to automatically decrypt additional volumes I've created with the same passcode. The encryption driver and its passcode prompt are loaded before the OS is booted (i.e., before the userspace program could possibly be loaded), yet this kind of useful caching is possible. Isn't it reasonable to believe kwallet and LUKS could interact similarly?

 *Quote:*   

> I am not sure what you mean by your "cached login" password.

 

What I have in mind is for my wallet to be encrypted using a passcode that's the same as my PAM passcode, so that after I log in, my wallet could be opened without an interactive passcode prompt. I believe Gnome's keyring can do that.

 *Quote:*   

> Any process which could connect to KWallet might be able to obtain passwords from it silently if you have no password on the wallet itself. 

 

That's a good point, thanks. If no passcode means a program can access my wallet without my explicit approval, then I'm not sure I want it.

----------

## Hu

 *knifeyspoony wrote:*   

>  *Quote:*   Passwords for LUKS are typically entered directly into the cryptsetup prompt, and would not be cached in KWallet. After all, if your rootfs is inside a LUKS volume, how could KWallet be running to obtain the password to cache it? 
> 
> TrueCrypt is an open-source utility with an excellent reputation for its whole-disk encryption of Windows systems. TC's Windows userspace program is able to obtain my TC pre-boot system authentication passcode in order to automatically decrypt additional volumes I've created with the same passcode. The encryption driver and its passcode prompt are loaded before the OS is booted (i.e., before the userspace program could possibly be loaded), yet this kind of useful caching is possible. Isn't it reasonable to believe kwallet and LUKS could interact similarly?

 Fair point.  TrueCrypt probably has some special call the Windows program can use to read the passcode from the disk encryption driver, or at least a call to let the user program request reuse of a cached passcode.  I am not aware of any equivalent feature in LUKS.

 *knifeyspoony wrote:*   

>  *Quote:*   Any process which could connect to KWallet might be able to obtain passwords from it silently if you have no password on the wallet itself.  That's a good point, thanks. If no passcode means a program can access my wallet without my explicit approval, then I'm not sure I want it.

 Research this before abandoning it.  It might be possible to configure KWallet to request approval, but not a specific password, before yielding its contents to other programs.  I believe ssh has a similar feature for its multiplexing support, due to similar concerns about unauthorized use.

----------

## knifeyspoony

It does still prompt to me to allow or deny each program's request for access.

Thanks,

ks

----------

