Make initramfs-linux.img not global readable if it contains a luks decryption key
Hey,
if we encrypt the disk with luks, the initramfs-linux.img
contains a key to decrypt the luks volume without the need of entering the password password for a second time. The problem is that /boot/initramfs-linux.img
can be read by anyone. This is done here. As an improvement we could make initramfs files not global readable. Here is an example how to do it Debian:
root@debian:~# echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf
Unfortunately it didn't work for me echoing the umask to /etc/mkinitcpio.conf
.