fixup! initializer/cryptsetup: add setupEncryptedMount

edgelesssys · Jan 21, 2025 · 0ff8c32 · 0ff8c32
1 parent c462eb9
commit 0ff8c32
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/initializer/mount.go b/initializer/mount.go
@@ -16,6 +16,7 @@ import (
 	"strconv"
 	"strings"
 	"syscall"
+	"crypto/rand"
 
 	"github.com/edgelesssys/contrast/internal/logger"
 	"github.com/spf13/cobra"
@@ -225,7 +226,13 @@ func mkfsExt4(ctx context.Context, devName string) error {
 
 // createInitPassphrase creates a hardcoded string passphrase, to allow formatting the device to LUKS in order to get the UUID.
 func createInitPassphrase(pathToPassphrase string) (err error) {
-	err = os.WriteFile(pathToPassphrase, []byte("init_passphrase"), 0o644)
+	// The init_passphrase always has to be random to avoid reading LUKS header after initialization and extracting the master key.
+	initPassphrase := make([]byte, 32)
+	_, err = rand.Read(initPassphrase)
+	if err != nil {
+		return fmt.Errorf("Creating initial passphrase: %w", err)
+	}
+	err = os.WriteFile(pathToPassphrase, initPassphrase, 0o644)
 	if err != nil {
 		return fmt.Errorf("Writing initial passphrase: %w", err)
 	}